Citrix Bleed Bug Inflicts Mounting Wounds, CISA Warns

Patch or isolate now: Organizations in every sector run the risk of hemorrhaging data as opportunistic attacks from LockBit ransomware and others grow.

A brown fabric patch
Source: Arletta Cwalina via Alamy Stock Photo

Ransomware affiliates for the LockBit 3.0 gang are ramping up their assault on the so-called "Citrix Bleed" security vulnerability, resulting in re-upped warnings from CISA and Citrix itself to take affected appliances offline if immediate remediation isn't an option.

The critical bug (CVE 2023-4966, CVSS 9.4) is found in the NetScaler Web application delivery control (ADC) and NetScaler Gateway appliances, and was patched in late October, after Mandiant warned about its use as a zero-day in limited, targeted cyberattacks. But it quickly caught the attention of more opportunistic threat actors, especially after the swift release of public proof-of-concept exploits (PoCs).

Ransomware Interest in Citrix Bleed Ramps Up

As CISA warned today, the bug offers a relatively easy authentication bypass route to the corporate crown jewels — a fact not lost on LockBit 3.0 users, who have mounted attacks on a range of targets, including Boeing, Australian shipping giant DP World, and the ICBC, China's state bank and the largest financial institution in the world.

The risk is significant: "Citrix Bleed allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions," warned the agency, in a joint advisory with the FBI, MS-ISAC, and the Australian Cyber Security Center. "Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources."

Security researcher Kevin Beaumont (aka GossitheDog), who has been tracking the LockBit 3.0 hits, said last week that the gang and its affiliates have put together a "strike team" specializing in weaponizing Citrix Bleed, which may be likely staffed by teenagers.

"The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas," he said. "They probably have a better asset inventory of your network than you, and they don't have to wait four weeks for 38 people to approve a change request for patching one thing."

Once Again for Emphasis: Patching Isn't Enough

As far as what to do amid the voluminous attack activity, CISA offered detailed remediation guidance, detection methods, and indicators of compromise (IOCs) for Citrix Bleed, while Citrix in its advisory reiterated its previous warning that patching is not enough to protect affected instances, because compromised NetScaler sessions will continue to be vulnerable after patching.

"If you are using any of the affected builds listed in the security bulletin, you should upgrade immediately by installing the updated versions," Citrix noted on Nov. 20. "After you upgrade, we recommend that you remove any active or persistent sessions."

"Organizations should re-assess their ability to find all applications down to the process/PID level, know their patch level, and have the ability to fully reset the application (i.e. kill all active or persistent sessions," adds John Gallagher, vice president of Viakoo Labs at Viakoo. "Too many organizations have yet to patch this vulnerability, and even those who have are not fully mitigating the threat because process-level persistence."

Both CISA's and Citrix's alerts reiterated the importance of isolating vulnerable appliances if patching and killing the instances isn't an immediate option, given that this bug is likely to remain near the top of the list for threat actors to target.

"According to Citrix, their product is used by more than 90% of the Fortune 500 companies," Lionel Litty, chief security architect at Menlo Security, notes. "These devices are exposed directly to clients that can manipulate the IP, TCP, TLS, and HTTP protocols to probe the attack surface. And with this vulnerability, we have a pre-authentication problem, which means an attacker does not need to have credentials to target it. This combination of factors makes this attacker gold."

The organizations issued the warnings just ahead of the Thanksgiving holiday in the US, when many security teams will be running skeleton crews. A recent analysis from ReliaQuest indicated that thousands of organizations remain exposed to the threat.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights