Menu

Threat Advisory

Ransomware gangs are actively exploiting the Citrix Bleed vulnerability Citrix NetScaler ADC and NetScaler Gateway

December 15, 2023 | By Accorian

In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other international agencies warn that ransomware gangs are actively exploiting the Citrix Bleed vulnerability. This can potentially affect organizations that use Citrix NetScaler ADC and NetScaler Gateway.

Review the security advisory below and take action accordingly:

OVERVIEW:

  • CISA and other partner agencies are responding to active, targeted exploitation of a vulnerability, CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway. The vulnerability is also known as Citrix Bleed. The affected products contain a buffer overflow vulnerability that discloses sensitive information when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.
  • Affiliates of at least two ransomware groups, LockBit and Medusa, have exploited Citrix Bleed as part of attacks against organizations. Both are globally significant and ranked first and sixth most active groups.
  • Exploiting this vulnerability could disclose sensitive information, including session authentication token information that may allow a threat actor to “hijack” a user’s session. 

TECHNICAL DETAILS:

  • On Oct. 10, 2023, Citrix released security updates to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.
  • On Oct. 17, Citrix updated its Alert to include “Exploits of CVE-2023-4966 on unmitigated appliances have been observed.”
  • On Oct. 18, CISA added an entry for CVE-2023-4966 to its Known Exploited Vulnerabilities (KEV) catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966.
  • On Oct. 23, Citrix released a blog, providing recommended next steps and a link to Mandiant’s Oct. 17 guidance for remediating and reducing risks related to CVE-2023-4966: Remediation for Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966).

CISA urges organizations to update unmitigated appliances to the versions listed below, hunt for malicious activity, and report any positive findings to CISA:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

MITIGATION:

Citrix strongly recommends users of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

• Cloud Software Group has published a related blog at

https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/ , which contains a further context.

• Cloud Software Group has published an additional blog at https://www.netscaler.com/blog/news/netscaler-investigation-recommendations-for-cve-2023-4966/ with recommendations for investigating this vulnerability.

ACCORIAN’S vCISO ADVICE: 

Besides patching, I encourage organizations to assess Citrix software and their systems for evidence of compromise and to hunt for malicious activity. If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software and install malicious code.

HOW TO AVOID RANSOMWARE: 

  • Block Common Forms of Entry: Create a plan for quickly patching vulnerabilities in internet-facing systems; disable or harden remote access like RDP and VPNs.
  • Prevent Intrusions: Stop threats early before they infiltrate or infect your endpoints. Use endpoint security software to prevent exploits and malware to deliver ransomware. 
  • Detect Intrusions: Make it more challenging for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop Malicious Encryption: Deploy Endpoint Detection and Response software that uses multiple detection techniques to identify ransomware and ransomware rollback to restore damaged system files. 
  • Create Offsite, Offline Backups: Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly. 
  • Don’t Get Attacked Twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their entry methods to avoid being attacked again.

For any further assistance, kindly reach out to us on info@accorian.com

Threat Advisory

Team Accorian

Recent Post

Article

CVE-2024-23897: Check Critical Jenkins Arbitrary File Leak Vulnerability Now!

On 24 January 2024, the Jenkins team issued a security advisory disclosing a critical vulnerability that affects the Jenkins CI/CD tool. Jenkins is a Java-based open-source automation server run by over 1 million users that helps developers build, test and deploy applications, enabling continuous integration and continuous delivery. The critical vulnerability is tracked as CVE-2024-23897 and affects Jenkins 2.441 and earlier. LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces the ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system that can lead to RCE. According to security researchers from ShadowServer, there are approximately 45,000 unpatched Jenkins instances, most of which are in China (12,000) and the United States (11,830). Two Proof of Concepts (PoCs) exploits have been released to the public and could be leveraged by attackers to compromise unpatched Jenkins servers. According to the Cyber Security Agency (CSA) of Singapore, as of 30 January 2024, the vulnerability is reportedly being actively exploited. Who Is Affected? Anyone who is running Jenkins 2.441 and earlier is affected by this vulnerability. How Can I Fix It? Jenkins users are urged to upgrade to Jenkins 2.442 and LTS 2.426.3.   How Can NodeZero Help?  All NodeZero™️ users can run an autonomous pentest to determine if their systems are vulnerable to the Jenkins vulnerability. We also recommend running a follow-on pentest to verify that any remediation steps taken, such as patching, are effective.    Example Top Weaknesses and Impacts: Example Attack Path: If you want to read more, please read Horizon3.ai’s Attack Team’s blog titled, “CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability.”   Source: CVE-2024-23897: Check Critical Jenkins Arbitrary File Leak Vulnerability Now! – Horizon3.ai Contact us to schedule a scan and discuss your specific security needs. For any further assistance, kindly reach out to us on info@accorian.com Threat Advisory Team Accorian

View More

Article

Log4j is back!!

Two years after disclosing the Log4Shell vulnerability (CVE-2021-44228), a critical remote code execution (RCE) flaw in the open-source Java logging utility Log4j continues to pose a significant threat. Despite widespread patching efforts, nearly one in four applications still rely on outdated Log4j libraries, rendering them susceptible to exploitation. Notably, the Lazarus hacking group has initiated a new cyber campaign called "Operation Blacksmith," targeting manufacturing, agriculture, and physical security companies globally. Exploiting the Log4Shell vulnerability, the group employs three previously unseen malware families coded in the rarely used D programming language: NineRAT: A remote access trojan (RAT) communicates via the Telegram API for command and control, data exfiltration, and persistence. DLRAT: This trojan and downloader serve to introduce additional payloads and collect system information. BottomLoader: Functioning as a downloader, it fetches and executes payloads, establishes persistence, and exfiltrates files. Over 38% of applications using Log4j remain vulnerable to security issues, including the critical Log4Shell exploit (CVE-2021-44228). This unauthenticated RCE flaw permits attackers to completely control systems utilizing vulnerable Log4j versions (2.0-beta9 through 2.15.0).  Impact: Successful exploitation could allow attackers to control affected systems remotely, steal data, deploy malware, or disrupt operations. Even patched versions of Log4j (2.17) are vulnerable to another RCE bug (CVE-2021-44832). EOL versions of Log4j are susceptible to seven high and critical-rated vulnerabilities, including Log4Shell. Exploited systems can face operational disruptions, data theft, and compromised credentials. Who is Affected? Applications and systems using Log4j versions 2.0-beta9 through 2.15.0 (pre-2015 EOL versions) are directly vulnerable to Log4Shell. Applications using Log4j 2.17 are vulnerable to CVE-2021-44832. Organizations unaware of their open-source software dependencies are at increased risk. Manufacturing, agriculture, and physical security companies are the primary targets, but any organization using vulnerable Log4j is at risk. Remediation: Update Log4j to the latest patched version: Log4j 2.17.1 (Java 8) Log4j 2.13.4 (Java 7) Log4j 2.3.2 (Java 6) Implement Software Composition Analysis (SCA) tools to identify and track vulnerable libraries. Train developers on secure coding practices and open-source software security risks. Limit public exposure of VMware Horizon servers and restrict access with strong authentication. Monitor systems for suspicious activity and implement intrusion detection/prevention systems. How Can Accorian Help: Quick Detection Scan: Accorian can offer a quick detection scan to identify potential Log4Shell vulnerabilities within your systems.  Furthermore, Accorian offers a range of security solutions to help you mitigate the risk of Log4Shell and other cyber threats: Vulnerability Assessment and Penetration Testing: Identify and remediate vulnerabilities in your systems, including Log4j. Security Information and Event Management (SIEM): Monitor your network for suspicious activity and detect potential breaches. Incident Response: Respond to cyberattacks quickly and effectively to minimize damage. Source: https://www.scmagazine.com/news/lazarus-group-uses-novel-malware-in-latest-log4j-campaign Contact us to schedule a scan and discuss your specific security needs. For any further assistance, kindly reach out to us on info@accorian.com Threat Advisory Team Accorian

View More

Article

WordPress - Critical Vulnerabilities in WS_FTP Server Expose High-Risk Exploitation

Multiple exploitable flaws have been found in numerous versions of the WS_FTP Server, built by Progress Software. One of the most serious is present in WS_FTP Server versions prior to 8.7.4 and 8.8.2, in a module for sending files person-to-person. The module, marketed by Progress Software as the Ad Hoc Transfer Module, is vulnerable to an attack that converts a hypertext transfer protocol message into a malicious object that can execute arbitrary code, a technique known as deserialization.  The identified flaw is a deserialization flaw in WS_FTP, a popular FTP server software. This vulnerability allows malicious actors to execute arbitrary code on affected servers potentially. About 2,900 hosts on the internet were found to be running WS_FTP and had their web servers exposed, making them vulnerable to exploitation. These instances primarily belonged to large enterprises, governments, and educational institutions. Progress Software has since released patches for eight vulnerabilities and strongly recommends that all users update their WS_FTP installations to protect against potential attacks. The updates include a patch for the .NET deserialization vulnerability, tracked as CVE-2023-40044, through which attackers can remotely execute arbitrary code. The U.S. Health Sector Cybersecurity Coordination Center, or HC3, in a Friday alert, said it "strongly encourages all users to follow the manufacturer's recommendation and upgrade to the highest version available - 8.8.2 - to prevent any damage from occurring." Security experts have warned all organizations that use secure file transfer tools to review their documentation to identify how such software can be locked down. Accorian strongly recommends that all users update their WS_FTP installations to protect against potential attacks. Source: https://www.databreachtoday.com/alert-attackers-actively-exploiting-wsftp-vulnerabilities-a-23200 For any further assistance, kindly reachout to us on info@accorian.com Threat Advisory Team Accorian

View More

Article

Critical Vulnerability in Ivanti’s Avalanche Enterprise MDM Solution

Ivanti, a leading technology company that offers IT asset management, security, endpoint, and supply chain solutions has released patches for seven critical and high-severity vulnerabilities in Avalanche, its Enterprise Mobile Device Management (MDM) solution. Among the vulnerabilities is the directory traversal flaw tracked down as CVE-2023-32563. It’s the most severe of the flaws with a CVSS score of 9.8. The MDM solution's updateSkin function has this directory traversal flaw that can be exploited without authentication. The problem arises from a user-supplied path not being properly validated before being used in file operations. This vulnerability can be misused by an attacker to execute remote codes.The release also addressed multiple stack-based buffer overflow bugs collectively tracked down as CVE-2023-32560 with a CVSS score of 8.8. These were discovered in the Wavelink Avalance Manager, which processes data using a fixed-size stack-based buffer. By delivering a specially written message to the service, an adversary can take advantage of this and potentially cause code execution or disrupt the service. In addition, two other high-severity remote code execution vulnerabilities CVE-2023-32562 and CVE-2023-32564 and three authentication bypass flaws CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566 present in various components of the MDM solution were patched.Although none of these problems have been reported as being exploited in the wild, Accorian strongly recommends that all users of Avalanche update it to version 6.4.1.207, released earlier this month. For any further assistance, kindly reachout to us on info@accorian.com Source: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution - SecurityWeek Threat Advisory Team Accorian

View More

Article

Microsoft RCE & EOP Vulnerability in August Patch Release

Microsoft addressed 74 CVEs in its August Patch Tuesday release, out of which 6 were rated “Critical” and 67 were rated “Important”. Remote code execution (RCE) vulnerabilities made up 31.5% of the vulnerabilities patched, with elevation of privilege (EoP) vulnerabilities making up 24.7%. One zero-day vulnerability was also addressed in the release. Among the RCE vulnerabilities are the CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 which have been assigned a CVSSv3 score of 9.8 and are “Critical”. The vulnerabilities are found in the Microsoft Message Queuing (MSMQ) component of the Windows operating system. An unauthenticated remote attacker can exploit this flaw by sending malicious MSMQ packets to a vulnerable MSMQ server, which leads to arbitrary code execution. Yet, to exploit this weakness, the susceptible server's Message Queuing service must be activated. According to Microsoft, if the service is enabled, it runs as "Message Queuing" and listens on TCP port 1801. Another “Important” rated vulnerability is CVE-2023-21709 which is an EoP vulnerability found in Microsoft Exchange Server. An adversary could exploit this flaw by trying to brute force the password for valid user accounts. If exploited, the adversary can login as another user. According to Microsoft, a PowerShell script must be run after the patch has been applied. Microsoft addressed five other vulnerabilities in Microsoft Exchange Server which are tracked down as CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182 and CVE-2023-35388. The CVE-2023-38181 is a Spoofing Vulnerability which is assigned a CVSSv3 score of 8.8. If exploited, an attacker might acquire access to a user's Net-NTLMv2 hash, which could then be used to launch an NTLM Relay attack against another service to authenticate as the user. The rest are RCE vulnerabilities with scores 8.8, 8.8, 8.0 and 8.0 respectively. The CVE-2023-3182 and CVE-2023-35388 are rated “Exploitation More Likely” by Microsoft. If exploited, an adversary could execute a code using PowerShell remoting session. To successfully exploit, the adversary would need to have LAN access and valid credentials for an Exchange user. Accorian strongly recommends patching systems as soon as they can be and routinely scanning your environment to find any systems that need to be patched. Organizations are encouraged to apply the latest Windows updates for August. Source: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug Threat Advisory Team Accorian

View More

Ready to Start?

Security Compliance & Assessment Services

CONSULTING & ASSESSMENT SERVICES

PENETRATION TESTINGRed TEAM ASSESSMENTS
TECHNOLOGY STAFFING

Contact Info

E. info@accorian.com

T. +1-732-443-3468

Contact With Us

Office Address

Accorian Head Office

6,Alvin Ct, East Brunswick, NJ 08816 USA

Accorian Canada

Toronto

Accorian India

Ground Floor,11, Brigade Terraces, Cambridge Rd, Halasuru, Udani Layout, Bengaluru, Karnataka 560008, India

Ready to Start?​

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide