Insights of Post-Exploitation from Citrix Bleed - CVE-2023-4966

Category: Vulnerability | Industries: Government, Legal, Professional Services, Technology | Sources: CISA, GreyNoise, Kevin Beaumont & Mandiant

Exploitation of the NetScaler ADC and NetScaler Gateway vulnerability, tracked as CVE-2023-4966 (also known as Citrix Bleed) for session hijacking, continues to be a significant threat. On October 25, 2023, security researcher Kevin Beaumont observed over 20,000 instances of exploitation. Despite a patch released by NetScaler on October 10th, Beaumont warns that the vulnerability persists due to session tokens persisting even after patching. He explains, "This one allows full MFA bypass even after patching, as sessions persist on reboot unless you manually terminate existing sessions." As of November 1, 2023, GreyNoise reports 64 unique IPs actively targeting vulnerable Citrix ADC and NetScaler platforms.

Further insights into the vulnerability come from Mandiant's investigation, which reveals a wide range of targeted industries, including government agencies, technology, legal, and professional service organizations on a global scale. Mandiant reports they're currently tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability. Some commonalities in post-exploitation activities have been observed, including the use of native Windows utilities for initial reconnaissance, along with other native tools such as csvde.exe, certutil.exe, local.exe, and nbtscan.exe. Credential theft using Mimikatz was detected in two threat clusters, and Mandiant also identified the deployment of remote monitoring and management (RMM) tools during post-exploitation. "Notably, there were no overlaps in infrastructure between these clusters of activity," Mandiant reports. Further complications in attribution, were due to attackers employing VPNs and utilizing "previously compromised third-party devices."

To remediate this vulnerability, organizations must apply patches and ensure proper sanitation of user sessions. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited and Vulnerabilities Catalog on October 18th, 2023. While it is unclear whether the vulnerability is being leveraged for ransomware campaigns, the widespread exploitation necessitates immediate attention from affected organizations.