According to Mandiant, the Citrix vulnerability which specifically impacts NetScaler ADC and Gateway appliances, has been detected in the wild since late August 2023.
Citrix, a provider of NetScaler ADC and Gateway appliances, released a security bulletin on October 10, 2023, detailing a vulnerability (CVE-2023-4966) exposing sensitive information. Mandiant, a Google-owned prominent cybersecurity firm, has identified instances of both zero-day exploitation and subsequent exploitation of this vulnerability following Citrix’s disclosure.
The vulnerability specifically affects NetScaler ADC and Gateway appliances and has been observed in the wild since late August 2023, continuing after the release of the security advisoty by the company.
Mandiant’s investigations revealed successful exploitation incidents, allowing threat actors to take control of legitimate user sessions on these Citrix appliances, bypassing authentication measures, including passwords and multi-factor authentication.
Mandiant’s findings shed light on factors that help in identifying exploitation activities and highlights various post-exploitation techniques witnessed during their incident response investigations.
Vulnerable Endpoints
When Citrix released firmware updates addressing CVE-2023-4966, Mandiant employed similar methods as Assetnote, an rxternal attack surface management firm, to identify vulnerable functions and create a proof of concept (PoC). Prior to Citrix’s publication, Mandiant was already investigating session takeovers, which they believed were the result of zero-day exploitation.
With differential firmware analysis, they pinpointed the vulnerable endpoint by crafting an HTTP GET request with an extended Host header, causing a vulnerable appliance to expose system memory contents, potentially revealing a valid NetScaler AAA session cookie.
Investigation Challenges
A significant challenge in investigating these vulnerable appliances lies in the absence of request logging for the vulnerable endpoint on the appliance’s web server. Mandiant recommends relying on web application firewalls (WAF) or similar network appliances recording HTTP/S requests directed towards these NetScaler devices to identify attempted exploitations.
Techniques for Identifying Exploitation
Mandiant outlined several techniques to identify potential exploitation and subsequent session hijacking. These include scrutinizing WAF logs, identifying suspicious login patterns in NetScaler logs, checking Windows Registry keys, and analyzing memory core dump files.
Post-Exploitation Activities
Following successful exploitation, Mandiant observed several post-exploitation tactics, such as reconnaissance, credential harvesting, and lateral movement through RDP. Threat actors used a variety of tools and techniques to gain access, including Mimikatz for dumping process memory and deploying remote monitoring and management (RMM) tools like Atera, AnyDesk, and SplashTop.
Victimology and Attribution
Mandiant’s investigation spans across multiple sectors, including legal, professional services, technology, and government organizations in the Americas, EMEA, and APJ regions. They are tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability.
“Mandiant is currently tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability. We have observed some lower degrees of confidence overlaps in post-exploitation stages among these UNC groups, like using the same recon commands and utilities available on Windows. The common tools observed across multiple intrusions were: csvde.exe certutil.exe local.exe nbtscan.exe.”
Mandiant
Remediation Efforts
Mandiant published a blog post offering remediation recommendations and guidance to mitigate this vulnerability.
In conclusion, this revelation provides insights into the exploitation and post-exploitation activities resulting from the Citrix vulnerability CVE-2023-4966. Mandiant’s ongoing investigation aims to understand the intricacies of the exploit and provide comprehensive guidance for remediation.
Editor’s note:
The article includes limited technical details about the vulnerability, exploitation techniques, and detection methods. Please note that this is a summarization of the extensive information provided in the original blog post by Mandiant.
RELATED ARTICLES
- Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
- Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks
- JetBrains Patches TeamCity Flaw Allowing RCE and Server Hijacking
- iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser
- Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird