Mass Exploitation of Citrix NetScaler Vulnerability

A critical information disclosure vulnerability, known as “Citrix Bleed” and affecting Citrix NetScaler ADC/Gateway devices, is being actively exploited by threat actors. The vulnerability, tracked as CVE-2023-4966, is remotely exploitable and can allow threat actors to obtain valid session tokens from the memory of internet-facing NetScaler devices. The compromised tokens can be used to hijack active sessions, bypassing authentication – even multi-factor authentication (MFA), to gain uauthorized access.
Citrix initially addressed the vulnerability in a security advisory on October 10, and on October 17, researchers determined that threat actors have exploited the vulnerability since at least August 2023. A Python script to automate the attack chain has been distributed by a ransomware threat group and attacks have become more widespread over the past several days.
Organizations are highly advised to update impacted devices and ensure accounts and devices have not been compromised.
Initial indicators of compromise may include the downloading of executable files from a command-and-control server, running commands consistent with elevating privileges and network enumeration, and preparing files for exfiltration.
Organizations whose Citrix devices were compromised are advised to remove impacted devices from the network, terminate all active sessions, and remove any backdoors or web shells to ensure all threat actor access to the device has been disabled; simply updating the system is insufficient. Mandiant provides guidance on addressing Citrix NetScaler ADC and NetScaler Gateway vulnerabilities.
Affected Citrix devices include:
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC 13.1-FIPS before 13.1-37.164
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300
Greynoise maintains a running list of malicious IP addresses involved in the recent exploitation of Citrix NetScaler devices and could be useful for network defenders and forensic analysts.