A hacking group has exploited a critical vulnerability in Citrix NetScaler servers to compromise close to 2,000 servers in a massive campaign, before patches could be applied.
As of 8/14 Fox-IT researchers report that of some 31,127 vulnerable servers, more than 1,900 remain “backdoored” and of those found, 1,248 had already been patched, but were never checked for signs of successful exploitation.
The vulnerability, tracked as CVE-2023-3519, allows hackers to execute arbitrary code on the servers without authentication allowing them to do anything they want on the servers, including steal data, install malware, or disrupt operations.
Main Takeaways:
- A set of vulnerabilities in NetScaler, one of which allows for remote code execution, were disclosed on July 18th. This disclosure was published after several security organizations saw limited exploitation of these vulnerabilities in the wild.
- Fox-IT (in collaboration with the Dutch Institute of Vulnerability Disclosure) have scanned for these webshells to identify compromised systems. Responsible disclosure notifications have been sent by the DIVD.
- At the time of this exploitation campaign, 31127 NetScalers were vulnerable to CVE-2023-3519.
- As of August 14th, 1828 NetScalers remain backdoored.
- Of the backdoored NetScalers, 1248 are patched for CVE-2023-3519.
David Mitchell, Chief Technical Officer, HYAS had this to say:
“Unfortunately, this is far from the first time this has happened in recent memory. In previous campaigns, attackers gained footholds within F5, Fortinet and VMware appliances through exposed management interfaces in order to avoid detection by EDR software.
“Regardless if the exploit is already in the wild, customers are expected to monitor their devices for the IOCs before and after the patch is applied — which is obviously not at an acceptable level. The reason for this gap may be education, outsourced managed devices or division of security labor within an organization, but I do not expect attacks on network devices to stop anytime soon.”
Clearly simply patching everything isn’t enough. You also have to make sure that the bad guys aren’t already in. Which means that you need to take more rigorous steps to make sure that you’re not on the wrong end of a headline.
“Citrix Bleed” Vulnerability Has The Potential To Be Another MOVEit
Posted in Commentary with tags Citrix, Security on October 31, 2023 by itnerdEarlier this month, Citrix published a vulnerability discovered in hardware sold by the company and recommended customers updated versions of NetScaler ADC and NetScaler Gateway. A week following the advisory, Mandiant reported that the vulnerability had been used as a zero-day exploit in the wild as early as August 2023, observing exploitation at professional services, technology, and government organizations. The vulnerability is currently being actively exploited by threat actors with a severity rating of 9.4 out of 10, and bypassing multifactor authentication. Which makes this very bad. And it has been dubbed “Citrix Bleed”.
Avishai Avivi, CISO, SafeBreach
It is always bad news when a vulnerability comes under mass exploitation. As the Clop ransomware group’s exploitation of GoAnywhere and MoveIT showed, this will often result in millions of compromised records. This recent Citrix NetScaler vulnerability may become the next mass exploit with some notable differences.
NetScaler, unlike the software mentioned above, is specifically meant to serve as a security device. The mechanism that threat actors are exploiting, the Multi-Factor Authentication (MFA) mechanism, is itself a mechanism that boosts the overall security of the device. The other notable aspect is the timeline surrounding this particular vulnerability. More specifically, security researchers reported exploitation of this vulnerability to Citrix in late August 2023. Citrix released a patch and bulletin on October 10, 2023. Several reports show that, as of today, nearly three weeks after the bulletin, thousands of Citrix NetScaler devices remain unpatched and vulnerable.
I view Citrix’s response with mixed feelings. On the one hand, they promptly issued a patch for a critical vulnerability. On the other, they were too relaxed in communicating the urgency of this patch to their customers. This lack of urgency gets compounded when network and security administrators responsible for these devices fail to patch high and critical severity vulnerabilities. This failure indicates a flawed vulnerability management program. Critical and high-severity vulnerabilities should never remain unpatched or unmitigated for over a week, let alone three.
Tom Marsland, VP of Technology, Cloud Range
This vulnerability, designated CVE-2023-4966, now nicknamed “Citrix Bleed,” demonstrates what can happen when devices go unpatched. It’s not important enough that organizations track and remediate vulnerabilities. They must prioritize them, which means having cybersecurity experts who understand the vulnerabilities and the risk their company is under with these vulnerabilities. This goes to highlight the cybersecurity shortage occurring at the mid-level across the industry.
This vulnerability has a CVSSv3 score of 9.4 – it was first observed in late August, and a patch was released on October 10th. Three weeks should be plenty of time to investigate vulnerabilities and patch them in (at least) the public-facing environment – the fact that this is not occurring on some estimated 20,000 cases, again, highlights poor vulnerability management/asset tracking programs and an understaffed cybersecurity workforce at large. Not until we push cybersecurity education further down into our K-12 school systems and provide hands-on, competency-based training for our industry professionals, do I think we’ll truly be able to wrap our hands around this problem.
I am now just bracing myself for a new round of ransomware attacks because of this vulnerability on a similar scale of what has been seen with MOVEit. This sort of situation I used to think was the worst case scenario. But now it seems to be the norm. And that’s bad for all of us and needs to change.
Leave a comment »