Back

CitrixBleed in Citrix Netscaler/ADC is under mass exploitation. A ransomware group has distributed an exploit to their operators too.

#threatintel #mspaint
https://doublepulsar.com/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18?sk=6c6a183bfaa9f69eff86c9c25e4c2326

Quick update on #CitrixBleed - tracking just over 20k exploited Netscaler servers so far today, where session tokens have been stolen.

How? Have a honeypot running to gather data on attackers, then compare with Netflow via industry friends. Two TCP connections (first large) plus Shodan cross reference to validate Netscaler victim.

Also it turns out in March of this year somebody documented how to replay the session token to bypass MFA/login: https://www.vulnerability-db.com/?q=articles/2023/07/03/citrix-gateway-cloud-mfa-insufficient-session-validation-vulnerability

Here's #CitrixBleed in action. Ignore the username/password, can be anything.

Here’s the most recent #CitrixBleed exploitation data from @greynoise. 114 unique IPs spraying the internet and stealing session tokens. #threatintel

139 unique IPs are spraying internet with #CitrixBleed session token theft, which allows both credential and MFA bypass.

My write up for those who missed it:
https://doublepulsar.com/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18?sk=6c6a183bfaa9f69eff86c9c25e4c2326

Contains two details not in any other write up:

- The initial openid exploitation string isn’t logged anywhere. At all.
- The public exploit also calls GetUserName with a python user agent. If you have logs in Microsoft Sentinel, Splunk etc you can use this to hunt.

The internet got mass sprayed from Oct 24.

I would also point out the one time I used Matthew Perry in a post, he died. Pray I don’t GIF you.

A fun #CitrixBleed stat is over half of orgs haven’t patched still. That includes telcos, electric companies, food companies, governments etc etc. The CISA requirement to patch in USG is in mid November.

My blog post on it has under 1000 views.

Meanwhile some IBM post about hypothetical AI phishing is *all over* LinkedIn.

Mandiant has a new blog out on #CitrixBleed which backs up a key point from my blog https://www.mandiant.com/resources/blog/session-hijacking-citrix-cve-2023-4966

The initial exploit string isn’t logged.. at all.

There’s some good hunting stuff in the blog (ICA sessions) - I’d say combine it with the GetUserName thing in my blog for assurance.

The other big take away is a ton of orgs have been compromised and don’t know yet. #threatintel

The ransomware victims for #CitrixBleed are starting to arrive into multiple IR firms I’ve talked to, where the threat actors have made it to domain admin.

It’s like a party in a sweet shop where there’s too many targets vs operators so expect it to be a slow burn.

Btw if it helps anybody, one of the groups are deploying Atera in ICA/RDP sessions.

Reasons:
- Legit remote access tool. No AV or EDR alerts.
- allows remote interactive command prompt and PowerShell
- reverse proxy, works behind firewall

So you take over a session, install that, and then disconnect. You then have persistent access to endpoint after patching of Netscaler.

Ransomware groups are basically a cheaper and better managed MSP.

#CitrixBleed update, about 87% of exposed instances have been patched it’s still around 5k unpatched.

Australian Signals Directorate has assessed that there is significant exposure to Citrix NetScaler ADC and NetScaler Gateway vulnerabilities in Australia and that any future exploitation would have significant impact to Australian systems and networks https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/citrix-products-netscaler-adc-and-netscaler-gateway-zero-day-vulnerability

Looping this in to this thread - a few days ago I wrote another blog about this.

“LockBit ransomware group assemble strike team to breach banks, law firms and governments.”

Since publishing multiple ransomware groups have joined in. They are stealing data and extorting organisations.

https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee

CISA say a wide variety of groups are exploiting #CitrixBleed. https://www.bloomberg.com/news/articles/2023-11-19/hackers-are-exploiting-a-flaw-in-citrix-software-despite-fix

New #CitrixBleed blog (where the vendor has moved it from Citrix.com to a different website).

Essential point is run the commands to kill active sessions. I have more to come on this point, somebody harvested session tokens from almost every box on the internet.

https://www.netscaler.com/blog/news/netscaler-investigation-recommendations-for-cve-2023-4966/

Multi agency advisory on #CitrixBleed. Patch.

Lots of new IOCs in this. Boeing provided a detailed play by play of their LockBit incident. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a

Why you should sweep your network for #CitrixBleed IOCs. A foot doctor.

CISA have held a briefing call with reporters about #CitrixBleed.

They have warned more than 300 US entities through CISA’s Ransomware Vulnerability Warning Program that they have problems and say thousands of systems remain vulnerable.

https://therecord.media/citrix-bleed-bug-targeted-cisa

@databeestje @GossiTheDog The vulnerability is not mitigated or impacted by the use of MFA.

It's weird though, I've seen many people asserting they are not worried about patching because they did the responsible thing and setup MFA. I'm sure that belief is part of the problem right now.

@jonas @GossiTheDog I'm tired of seeing procdump.exe in these reports. Every. Single. Time.

I tried to make IOCs out of file hashes but there seems to be an infinite number of versions of procdump. I tried using the signing cert but Sysinternals sign a whole lot of other tools. We need a generic option.