Australian and US governmental agencies and Citrix this week issued fresh warnings on the exploitation of a critical NetScaler product vulnerability.
Tracked as CVE-2023-4966 (CVSS score of 9.4) and referred to as CitrixBleed, the unauthenticated bug leads to information disclosure. It impacts Netscaler ADC and Gateway appliances that are configured as a gateway or an AAA server.
Patched in October, the flaw had been exploited as a zero-day since August, and mass exploitation started roughly three weeks ago, around the same time that a proof-of-concept (PoC) exploit and a technical writeup were published.
In late October, the tech giant warned that threat actors were exploiting the issue to perform session hijacking, completely bypassing authentication, including MFA protections.
On Monday, Citrix urged administrators to apply the available patches as soon as possible, citing “a sharp increase in attempts to exploit this vulnerability in unpatched NetScaler ADCs” and reports that the LockBit ransomware gang has started exploiting it.
An alert on LockBit targeting CitrixBleed also came from the US cybersecurity agency CISA, the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Australian Cyber Security Center (ACSC), on Tuesday.
“Historically, LockBit affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors—including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation,” the governmental agencies warn.
LockBit, the four agencies say, exploited CitrixBleed to gain initial access to Boeing Distribution Inc., the parts and distribution subsidiary of aeronautical giant Boeing.
Armed with valid cookies obtained by exploiting CVE-2023-4966, the LockBit affiliates then established an authenticated session with the appliance, which allowed them to execute a PowerShell script for malware deployment.
“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources,” the agencies note.
In their alert, CISA, FBI, MS-ISAC, and ACSC provide a list of indicators of compromise (IoCs) associated with the LockBit attack on Boeing, recommending hunting for evidence of compromise and urging immediate patching.
Administrators are advised to update to NetScaler ADC and Gateway versions 14.1-8.50, 13.1-49.15, 13.0-92.19, and NetScaler ADC 13.1-FIPS 13.1-37.164, 12.1-FIPS 12.1-55.300, and 12.1-NDcPP 12.1-55.300, which address the vulnerability.
After the upgrade, they should remove any active or persistent sessions, to ensure the flaw is fully mitigated – Citrix has provided detailed information on how this can be done. Because the session cookies persist in memory, threat actors can retrieve them even after the update.