The big picture: Earlier this year, a critical vulnerability was discovered in Citrix Systems Inc.'s NetScaler and NetGateway products, which are popular among enterprise IT admins for a wide range of security functions, including load balancing, application firewalls and proxy services. Named 'Citrix Bleed,' the exploit allows hackers to gain unauthorized access to compromised systems by retrieving session cookies. While the company announced patches on October 10, new reports suggest that the vulnerability is now under mass exploitation by ransomware groups.
As reported by Ars Technica, the Citrix Bleed vulnerability (tracked as CVE-2023-4966) has been actively exploited since last August, although the problem has grown exponentially in recent weeks. According to cybersecurity researcher Kevin Beaumont, "multiple organizations" are reporting seeing widespread exploitation of the vulnerability, with an estimated 20,000 compromised Citrix devices believed to have had their session tokens stolen.
According to cybersecurity firm GreyNoise, the attacks were coming from as many as 135 IP addresses as of October 30, while there were just five errant IPs last week. Cybersecurity firm Shadowserver says there are around 5,500 unpatched devices, but there's no word on why that number is so much lower than Beaumont's estimate of 20,000 compromised devices.
It is worth noting here that the patches rolled out by Citrix do not apply to firmware version 12.1, as those devices have reached their end-of-life (EoL). Citrix's decision leaves thousands of devices vulnerable, especially as new attackers crop up by the day. However, the company claims that customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted by the issue.
The vulnerability is believed to be relatively easy to exploit by simply reverse-engineering the patch Citrix released earlier this month. In addition, several proof-of-concept exploits are available online, making the job of the hackers even easier. Ultimately, Citrix Bleed remains a massive headache for enterprises and governments running NetScaler and NetGateway devices, and the only way to remediate the issue is to install the available patch for compatible devices.
For older systems that do not have a patch yet, Google's Mandiant cybersecurity research group recommends a workaround that requires appliances to have "ingress IP address restrictions enforced to limit the exposure and attack surface." If updated firmware is available, the researchers recommend that users install it immediately and then terminate all active and persistent sessions to protect their systems from being compromised.