State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Mass Exploitation of Citrix NetScaler Vulnerability – Patch Now

NJCCIC Advisory

Original Release Date: 10/30/2023

Summary

A critical information disclosure vulnerability, known as “Citrix Bleed” and affecting Citrix NetScaler ADC/Gateway devices, is being actively exploited by threat actors. The vulnerability, tracked as CVE-2023-4966, is remotely exploitable and can allow threat actors to obtain valid session tokens from the memory of internet-facing NetScaler devices. The compromised tokens can be used to hijack active sessions, bypassing authentication – even multi-factor authentication (MFA), to gain unauthorized access.

Citrix initially addressed the vulnerability in a security advisory on October 10, and on October 17, researchers determined that threat actors have exploited the vulnerability since at least August 2023. A Python script to automate the attack chain has been distributed by a ransomware threat group and attacks have become more widespread over the past several days. 

Organizations are highly advised to update impacted devices and ensure accounts and devices have not been compromised.

Organizations whose Citrix devices were compromised are advised to remove impacted devices from the network, terminate all active sessions, and remove any backdoors or web shells to ensure all threat actor access to the device has been disabled; simply updating the system is insufficient. Initial indicators of compromise may include the downloading of executable files from a command-and-control server, running commands consistent with elevating privileges and network enumeration, and preparing files for exfiltration.

Please review the following Mandiant blogs for recommendations on remediating CVE-2023-4966 and indicators of compromise and hunting tips for investigating session hijacking via the vulnerability.

Greynoise maintains a running list of malicious IP addresses involved in the recent exploitation of Citrix NetScaler devices and could be useful for network defenders and forensic analysts.

Affected Citrix devices include:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.