Citrix Bleed remains out of control with thousands of appliances still vulnerable

Citrix Bleed still remains a pervasive security threat for organizations globally despite a patch for the vulnerability being issued more than a month ago. 

Analysis shows that threat actors are targeting vulnerable devices en-masse since news of the flaw broke in late October. 

A host of major organizations including aerospace giant Boeing, law firm Allen & Overy, and the Industrial and Commercial Bank of China (ICBC) are all believed to have fallen victim to attacks as a result of the vulnerability.

In a blog post yesterday, security researcher Kevin Beaumont said notorious ransomware gang LockBit appears to have capitalized on the flaw to target several organizations.  

“Through data allowing the tracking of ransomware operators, it has been possible to track individual targets,” he said. “Recently, it has become clear they have been targeting a vulnerability in Citrix NetScaler, called CitrixBleed.”

“This has been done in a coordinated fashion amongst multiple LockBit operators — a strike team to break into organizations using CitrixBleed and then hold them to ransom.”

One of the victims, ICBC, reportedly paid a ransom in a bid to resume operations.

The attack on ICBC, which is one of the world’s largest banks, severely disrupted operations and prevented the bank from clearing trades. 

LockBit told Reuters the bank “paid a ransom, deal closed”.

Thousands have still not patched for Citrix Bleed 

Beaumont added that while a patch was issued on October 10, “around five thousands organizations” had still not installed the patch at the time of writing. 

The scale of the issue prompted CISA to issue a warning to potentially vulnerable organizations last week. The security agency urged organizations using Citrix NetScaler ADC and NetScaler Gateway to remain vigilant and issue a patch immediately.  

CISA said it, along with international partners, were responding to “active, targeted exploitation” of the vulnerability. 

CitrixBleed: Everything you need to know 

CitrixBleed specifically affects NetScaler Gateway and NetScaler ADC products, and was first identified by Citrix in early October. 

Tracked as CVE-2023-4966, the vulnerability can be used to bypass multi-factor authentication (MFA) and hijack authenticated sessions. 

This would enable threat actors to perform additional attacks within an organization’s network and exfiltrate sensitive data. 

Security firm Mandiant revealed it had seen evidence of CVE-2023-4966 being exploited in the wild since the end of August. 

Recurring Citrix flaws 

This latest incident is not the first serious vulnerability discovered in Citrix products this year. 

In July, the company issued a warning over three serious vulnerabilities affecting both NetScaler Gateway and ADC.  

These included: 

• A remote code execution (RCE) flaw tracked as CVE-2023-3519
• A cross-site scripting (XSS) flaw tracked as CVE-2023-3466
• A privilege escalation flaw tracked as CVE-2023-3467list

Researchers at NCC Group also uncovered a concerning campaign of attacks against Citrix users in August in which the aforementioned RCE flaw (CVE-2023-3519) has been used to place web shells on vulnerable devices.