Malicious hackers bypass critical patch for Netscaler by Citrix, leading to vulnerability exploitation
Headline: Urgent Action Needed After Applying Citrix NetScaler Patch to Prevent Continued Exploitation
The vulnerability known as "CitrixBleed" (CVE-2023-4966) has been under active exploitation since at least August, allowing hackers to hijack existing authenticated sessions and bypass multifactor authentication. Despite the release of a patch by Citrix on October 10, the exploitation of this vulnerability continues, according to cybersecurity firm Mandiant.
In a recent statement, Mandiant's Chief Technology Officer, Charles Carmakal, urged organizations to terminate all active sessions, even after the patch has been deployed, to prevent continued exploitation. This advice comes in light of cases where session data was stolen prior to the patch deployment and later used by hackers.
To ensure that any potentially stolen session tokens or active sessions vulnerable before patching are invalidated, Mandiant recommends several measures:
- Terminating all active user sessions, such as ICA, PCoIP, RDP, AAA, and Load Balancing (LB) persistent sessions, using commands like those listed below. This action is critical because session tokens leaked before patching may still be valid, allowing attackers to reuse them.
- Auditing active sessions post-patch for suspicious activity such as sessions used from multiple IPs, which may indicate active hijacking.
- Enforcing strong authentication and session binding policies, including IP or device fingerprint binding and time-based expiration of session tokens, to reduce the risk of token replay attacks.
- Deploying Web Application Firewall (WAF) rules that block malformed HTTP POST requests to authentication endpoints to prevent exploitation attempts.
- Monitoring for Indicators of Compromise (IoCs) such as unauthorized access, backdoor accounts, or unusual configuration changes.
- Upgrading all NetScaler appliances to the latest fixed firmware versions since End-Of-Life (EOL) versions do not receive patches and remain vulnerable.
- Proactively using scanning tools (like Shodan) and intrusion detection rules (e.g., Snort rule SID: 65120) to identify exposed systems and detect exploitation attempts.
These combined measures help reduce the attack surface against post-patch exploitation. Simply patching without terminating active sessions and enforcing stronger session controls leaves environments open to session hijacking and unauthorized access.
It is essential for corporate stakeholders to understand the risk calculus of their technology stacks. Exploitation of the vulnerability CVE-2023-4966 has occurred in professional services and technology firms, as well as government agencies, according to Mandiant. The identity of the threat actor exploiting the vulnerability is unknown, but Mandiant expects hackers with financial motivations to eventually join the activity.
The Cybersecurity and Infrastructure Security Agency has referred back to Mandiant's guidance when asked for comment. The question corporate stakeholders want answered is: Are we a target? By taking the recommended measures, organizations can significantly reduce their risk and protect their systems from potential attacks.
- Despite applying the Citrix NetScaler patch, organizations must terminate all active sessions to prevent continued exploitation of the 'CitrixBleed' vulnerability (CVE-2023-4966), as recommended by Mandiant's Chief Technology Officer, Charles Carmakal.
- In light of the ongoing exploitation of the 'CitrixBleed' vulnerability, it is crucial for technology-focused organizations, including government agencies, to enforce strong authentication and session controls, such as terminating active sessions and deploying Web Application Firewall (WAF) rules, to minimize the risk of unauthorized access.
