A significant surge in brute-force attacks targeting Citrix NetScaler devices across multiple organizations.
The attacks, primarily originating from a Hong Kong-based cloud provider, are exploiting misconfigured and outdated systems, coinciding with recent critical vulnerability disclosures affecting Citrix NetScaler.
The attacks have spiked in proximity to newly disclosed vulnerabilities, particularly CVE-2024-8534 and CVE-2024-8535, identified in November 2024.
CVE-2024-8534 – is a memory safety vulnerability that can lead to memory corruption and denial of service.
CVE-2024-8535 – allows authenticated users to access unintended user capabilities due to a race condition.
Ethan Fite, director of managed services operations at Cyderes, reported that attackers employ a distributed brute-force strategy, frequently changing IP addresses and Autonomous System Numbers (ASNs) with each attempt. This tactic makes detection and mitigation particularly challenging for security teams.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
The German Federal Office for Information Security (BSI) has also warned about increased brute-force attacks against NetScaler devices, with reports coming from various organizations in the critical infrastructure sector and international partners.
To mitigate these threats, cybersecurity experts recommend several immediate actions:
- Block high-risk IP ranges, particularly those associated with the Hong Kong-based cloud provider.
- Patch and upgrade NetScaler devices to the latest supported versions, especially addressing CVE-2024-8534 and CVE-2024-8535.
- Validate configurations, ensuring secure setup of the Remote Desktop Protocol (RDP) feature or disabling it if unnecessary.
- Implement geographic blocking for high-risk or operationally unnecessary locations.
- Monitor for anomalous activity, such as spikes in failed login attempts or traffic irregularities.
Citrix has released security updates to address these vulnerabilities in NetScaler ADC and NetScaler Gateway versions 14.1-29.72, 13.1-55.34, 13.1-FIPS 13.1-37.207, 12.1-FIPS 12.1-55.321, and 12.1-NDcPP 12.1-55.321. However, versions 12.1 and 13.0, which have reached end-of-life status, remain vulnerable.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert regarding these vulnerabilities, emphasizing that threat actors could potentially exploit them to take control of affected systems.
As the situation continues to evolve, organizations using Citrix NetScaler devices are strongly urged to take immediate action to secure their systems and prevent potential breaches.
The ongoing attacks underscore the critical importance of maintaining up-to-date security measures and remaining vigilant against emerging threats in the ever-changing cybersecurity landscape.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free