Mass Exploitation of ‘Citrix Bleed’ Vulnerability Underway

Cyber Security Threat Summary:
Last week, Citrix warned that threat actors are actively exploiting a critical information disclosure vulnerability impacting Citrix NetScaler ADC and Gateway instances. Tracked as CVE-2023-4966, the vulnerability can be exploited by unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or gateway. In the past couple of days, security researchers have noticed an alarming increase in exploitation attempts, with several threat actors including ransomware groups, targeting vulnerable instances. Despite security patches being released by the vendor, thousands of Citrix NetScaler ADC and Gateway instances remain unpatched.

Security Officer Comments:
Exploitation activity was initiated after researchers at Assetnote published a technical write-up of the vulnerability as well as a proof-of-concept exploit. According to security researcher Kevin Beaumont, attackers were observed over the weekend stealing session tokens of over 20,000 exploited NetScaler servers. Furthermore, based on data from Greynoise, over 158 unique IP addresses have been observed targeting vulnerable instances in the past 10 days, indicating that many threat actors are taking this opportunity to launch attacks.

Suggested Correction(s):
Approximately half of NetScaler customers have yet to secure their instances, the majority of which reside in the telecommunications, electric, and food sectors. Organizations should refer to Citrix’s advisory and apply the necessary security updates as soon as possible to deter potential exploitation attempts.

Beaumont has published a scanner to help identify vulnerable NetScaler servers which can be accessed below: