Security teams have raised the alarm as the Citrix Bleed vulnerability, a critical information-disclosure bug affecting NetScaler ADC and NetScaler Gateway, is now being exploited on a large scale. Thousands of Citrix NetScaler instances remain exposed to this threat, and the situation is concerning.
As of October 30, security organization Shadowserver identified over 5,000 vulnerable servers on the public internet. Additionally, GreyNoise observed 137 individual IP addresses attempting to exploit the Citrix vulnerability in the past week.
Citrix acknowledged the issue and released a patch for the flaw, known as CVE-2023-4966, on October 10. However, merely applying the patch and rebooting the system isn’t sufficient, as session tokens continue to pose a risk. Experts warn that session tokens can be exploited even after patching, emphasizing the severity of the problem.
The “mass exploitation” of this vulnerability has attracted the attention of at least two ransomware gangs, as of October 30. These criminals are distributing a Python script to automate the attack process, making it a significant threat. Essentially, this situation exposes a vulnerability reminiscent of 1998 in remote access solutions, and attackers are collecting session tokens like prized possessions.
Security firm Mandiant revealed that it is currently tracking four separate groups exploiting the vulnerability in various sectors, including legal and professional services, tech, and government agencies across regions such as the Americas, Europe, Middle East, Africa, and Asia-Pacific. The exploitation is widespread and affects numerous sectors.
Mandiant identified various ways to check for exploitation within organizations’ networks. However, it’s crucial to understand that patterns of suspicious activity related to session hijacking may vary from one organization to another. Therefore, the outlined techniques might not be universally applicable or feasible.
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. However, the vulnerability is still listed as “unknown” in the “used in ransomware campaigns” category, despite ongoing exploitation.
Criminals have been exploiting this vulnerability since late August, initially limited to cyber espionage. Mandiant Consulting CTO Charles Carmakal anticipates that other threat actors with financial motivations will increasingly exploit this flaw over time, highlighting the urgency of addressing the situation.
Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…
Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…
Discover the top 11 log management tools for efficient system management and monitoring. Learn about…
Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…
Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…
Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…