Threat actors are leveraging the ‘Citrix Bleed’ vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region.
Researchers from Mandiant report that four ongoing campaigns target vulnerable Citrix NetScaler ADC and Gateway appliances, with attacks underway since late August 2023.
The security company has seen post-exploitation activity related to credential theft and lateral movement, warning that exploitation leaves behind limited forensic evidence, making these attacks particularly stealthy.
Citrix Bleed
The Citrix Bleed CVE-2023-4966 vulnerability was disclosed on October 10 as a critical severity flaw impacting Citrix NetScaler ADC and NetScaler Gateway, allowing access to sensitive information on the devices.
A week after a fix was made available, Mandiant revealed the flaw was a zero-day under active exploitation since late August, with hackers leveraging it to hijack existing authenticated sessions and bypass multifactor protection.
Attackers used specially crafted HTTP GET requests to force the appliance to return system memory contents, which include a valid Netscaler AAA session cookie issued post-authentication and after MFA checks.
Hackers who steal these authentication cookies can then access the device without performing an MFA verification again.
Citrix followed up with a second warning to admins, urging them to secure their systems against the ongoing attacks, which were low-complexity and didn’t require any user interaction.
On October 25, AssetNote researchers released a proof-of-concept (PoC) exploit demonstrating how to hijack a NetScaler account via session token theft.
Ongoing attacks
Mandiant explains that the lack of logging on the appliances makes investigating the exploitation of CVE-2023-3966 challenging, requiring web application firewalls (WAF) and other network traffic monitoring appliances to log traffic and determine if a device was exploited.
Unless a network uses this type of monitoring before an attack, it prevents any historical analysis and limits researchers to real-time observations.
Even post-exploitation, the attackers remain stealthy, employing living-off-the-land techniques and common administrative tools like net.exe and netscan.exe to blend with daily operations.
Mandiant was able to identify exploitation attempts and session hijacking via one of the following pathways:
- WAF request analysis: Requests to the vulnerable endpoint can be logged by WAF tools.
- Login patterns monitoring: Client and source IP address mismatches and multiple sessions from the same IP address written in ns.log files are signs of potential unauthorized access.
- Windows Registry correlation: Correlating Windows Registry entries on Citrix VDA systems with ns.log data makes it possible to trace the attacker’s origin.
- Memory dump inspection: NSPPE process memory core dump files can be analyzed for unusually long strings containing repetitive characters, which may indicate exploitation attempts.
Attack goals
After exploiting CVE-2023-4966, the attackers engaged in network reconnaissance, stealing account credentials and moving laterally via RDP.
The tools the threat actors use at this phase are the following:
- net.exe – Active Directory (AD) reconnaissance
- netscan.exe – internal network enumeration.
- 7-zip – create an encrypted segmented archive for compressing reconnaissance data
- certutil – encode (base64) and decode data files and deploy backdoors
- e.exe and d.dll – load into the LSASS process memory and create memory dump files
- sh3.exe – run the Mimikatz LSADUMP command for credential extraction
- FREEFIRE – novel lightweight .NET backdoor using Slack for command and control
- Atera – Remote monitoring and management
- AnyDesk – Remote desktop
- SplashTop – Remote desktop
Although many of the above are commonly found in enterprise environments, their combined deployment may be a sign of compromise, and tools like FREEFIRE are clear indications of a breach.
The researchers have released a Yara rule that can be used to detect FREE FIRE on a device.
Mandiant says the four threat actors that exploit CVE-2023-4966 in various campaigns show some overlap in the post-exploitation stage.
All four extensively used csvde.exe, certutil.exe, local.exe, and nbtscan.exe, while two activity clusters were seen using Mimikatz.
Applying the available security updates does not address existing breaches, and thus, a full incident response is required.
For advice on system restoration, check out Mandiant’s remediation guide.