First disclosed by Citrix on 10 October 2023, the critical vulnerability, dubbed Citrix Bleed, allows remote attackers to obtain active user session information from a vulnerable NetScaler which can then be used by attackers to access the Citrix environment as a valid user.
In this article we provide an overview of the vulnerability, remediation advice and steps to take if you uncover malicious activity on your affected NetScaler ADC and Gateway products.
On 10 October 2023, Citrix disclosed a new vulnerability, CVE-2023-4966 (aka Citrix Bleed), which impacts NetScaler ADC and NetScaler Gateway appliances. The vulnerability received a severity score of CVSS 9.4.
The vulnerability enables threat actors to takeover legitimate user sessions on both NetScaler ADC and Gateway appliances when configured as a Gateway or AAA virtual server. Security researchers have identified that actors with a valid session cookie have further been seen to establish authenticated sessions without user credentials or access to a multi-factor authentication token or device.
At the date of this article, S-RM has responded to several incidents where Citrix Bleed was exploited by threat actors, and S-RM anticipates additional exploitation of this vulnerability against organisations across multiple sectors. To date, the vulnerability has been exploited by ransomware groups Akira, NoEscape, Medusa, and LockBit 3.0 in the attack of victims across numerous sectors.
Remediation cannot be fully achieved through patching alone. Web servers running the appliance will not inherently record requests or errors to the vulnerable endpoints and proof of compromise will be challenging unless a threat actor uses the stolen session cookies. Exploitation can only be identified through the review of logs from web application firewalls and network appliances utilized by organizations to record HTTP/S requests pointed at NetScaler ADC or Gateway appliances.
We urgently advise all organisations that may be impacted by Citrix Bleed to apply to following remediations:
- Revoke all active sessions, persistent sessions and Independent Computing Architecture (ICA) sessions.
- Isolate the appliances for testing and patch deployment.
- Review systems for evidence of exploit CVE-2023-4966 by completing the following:
- Review NetScaler logs (Ns.logs) for indications of remote IP changes for active users.
- Inspect virtual desktop agent Window Registry keys by comparing them to user accounts and timestamps available in Ns.logs to identify a potential threat actor’s local host IP address and hostname.
- Review NetScaler memory core dump files to review FQDN responses of an appliances for exploitation, which is observable if long sequences of characters instead of legitimate FQDN responses are recalled.
- Rotate the credentials for accounts used to access resources through NetScaler ADC / Gateway appliances.
- Upgrade to the latest versions of NetScaler ADC and NetScaler Gateway.
If evidence of compromise is identified, we would recommend an immediate investigation into the scope of the malicious activity to ensure any unauthorised access to the network is removed.
Affected NetScaler ADC and Gateway appliances
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.30
Post exploitation tactics identified
S-RM’s Incident Response team have observed the following tactics, techniques and procedures (TTPs) immediately following the exploitation of the Citrix Bleed vulnerability.
- Utilisation of RDPs such as Virtual Desktop instances to access a domain-joined device.
- Use of AnyDesk, a remote desktop application as a persistence mechanism on compromised systems.
Additionally, S-RM has observed the use of the following tools in cases involving Citrix Bleed:
- Advanced IP Scanner – Network scanning tool used to map a victim’s network and identify access vectors.
- Netscan.exe – Active Directory reconnaissance tool.
- Mimikatz.exe – Credential extractor used to gain network and system access.
- Nmap.exe – open-source network scanner used to identify vulnerabilities.
- Python scripts (e.g. “m.py”)
- PSexec – Sysinternals tool used for lateral movement and remote execution.
If malicious activity is identified
- Trigger your incident response plan
- Engage an expert cyber incident response firm
- Preserve evidence
- Implement a containment plan to limit the threat actor’s access inside the network
- Implement a threat hunting and eradication plan to remove the threat actor from the network
- Conduct forensics across impacted devices to identify potential data exfiltration.
Please contact S-RM if you are concerned about your organisation’s exposure to the Citrix vulnerability.