The vulnerability’s name has been popping up over the past couple months in reports on key sectors. According to a post from cybersecurity researcher Kevin Beaumont, this flaw may be behind the cyber attack that disrupted swathes of credit unions earlier this week. The credit unions’ technology vendor Ongoing Operations was hit with ransomware and had failed to patch the vulnerability, he wrote. Ongoing Operations declined to confirm to Government Technology whether Citrix Bleed had been exploited.
But the health-care sector is also raising warnings. Industry group the American Hospital Association urged its membership recently to patch and defend against the vulnerability. Its message amplified the federal Health Sector Cybersecurity Coordinating Center (HC3)’s own alert. Ransomware actors also exploited it in an attack on airplane giant Boeing.
The flaw, also known as CVE 2023-4966, impacts Citrix NetScaler web application delivery control and NetScaler Gateway appliances. Federal officials and partners turned a spotlight on the vulnerability and issued a joint advisory, giving advice and details, including indicators of compromise; observed tactics, techniques and procedures; and detection methods.
Advisory authors include the Cybersecurity and Infrastructure Security Agency, FBI, Multi-State Information Sharing and Analysis Center and Australia’s lead cybersecurity agency, the Australian Signals Directorate’s Australian Cyber Security Centre.
At least one group of threat actors has been identified exploiting Citrix Bleed: affiliates deploying LockBit 3.0 ransomware. LockBit affiliates have in the past targeted organizations in critical infrastructure sectors, including government and emergency services, health care, financial services, energy, education, food and agriculture, manufacturing and transportation, per the joint advisory.
Hackers exploiting Citrix Bleed can “bypass password requirements and multifactor authentication leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control and Gateway appliances,” the advisory says. “Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”
The flaw is also relatively easy to exploit and so is likely to be widely exploited “in unpatched software services throughout both private and public networks,” per the advisory.
To respond, organizations should adopt updates, as well as search for evidence of compromise (and then take appropriate responses) as well as adopt other mitigation steps outlined in the joint advisory.
Citrix released the patch in early October, but attackers are known to have been exploiting it since August 2023.
“The manufacturer has also warned that these compromised sessions will still be active after a patch has been implemented,” HC3 wrote.
As such, HC3 advised not only updating but also using certain commands to remove “any active or persistent sessions.” The commands are below:
• kill aaa session -all
• kill icaconnection -all
• kill rdp connection -all
• kill pcoipConnection -all
• clear lb persistentSessions
