Endpoint Security , Fraud Management & Cybercrime , Governance & Risk Management

LockBit and Nation-State Groups Using Session Tokens to Access Patched Devices

Amid Citrix Bleed Exploits, NetScaler Warns: Kill Sessions
Attackers are actively exploiting CVE-2023-4966, aka Citrix Bleed, in NetScaler – formerly known as Citrix – devices. (Image: Assetnote)

With experts warning that unpatched NetScaler devices are being exploited by nation-state and cybercrime groups, the manufacturer has again urged all users to “patch immediately, among other security steps.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

The alert applies to all self-managed NetScaler Application Delivery Controller and Gateway devices – owned by privately held Cloud Software Group, which counts NetScaler and Citrix as business units.

NetScaler on Oct. 10 issued a security alert and patch for CVE-2023-4966, a critical vulnerability also known as “Citrix Bleed,” which affects both NetScaler ADC and Gateway products, formerly known as Citrix ADC and Citrix Gateway. Subsequently, both the U.S. Cybersecurity and Infrastructure Security Agency and Google Cloud’s Mandiant threat intelligence unit reported attackers were actively exploiting the flaw in the wild, prior to the patch’s release.

NetScaler on Monday issued a fresh alert in the wake of reports that multiple groups, including the LockBit ransomware group, have been exploiting unpatched NetScaler devices. Doing so allows attackers not only to gain remote access, but also to steal session tokens they can use to access the devices later, even post-patch.

Every NetScaler ADC and Gateway device was potentially hacked, prior to the patch being released, experts warn. “Somebody harvested session tokens from almost every box on the internet,” British security researcher Kevin Beaumont said Monday in a post to Mastodon.

Beaumont using the vulnerability. “This has been done in a coordinated fashion amongst multiple LockBit operators – a strike team to break into organizations using Citrix Bleed and then hold them to ransom.”

Citrix Bleed enables attackers to extract valid session tokens from vulnerable internet-connected devices. “The compromised session tokens can then be used to impersonate active sessions, which bypass authentication – even multifactor – and gain complete access to the appliance,” the Financial Services Information Sharing and Analysis Center warned in an alert issued last week. “This vulnerability can still occur even if the vulnerability is patched and rebooted, as copied tokens will remain valid unless further steps are taken.”

Advanced persistent threat groups have also been targeting the flaw, warned Eric Goldstein, CISA’s executive assistant director. “We are aware that a wide variety of malicious actors, including both nation-state and criminal groups, are focused on leveraging the Citrix Bleed vulnerability,” he told Bloomberg News. CISA said it’s been actively assisting victims with remediation.

Threat intelligence firm GreyNoise reports seeing a steady volume of attempts to exploit CVE-2023-4966. Beaumont last week said he counted 5,000 organizations running unpatched NetScaler ADC or Gateway or devices.

Making Citrix Bleed

Attackers have been exploiting Citrix Bleed to gain access to victims’ networks, leading to post-intrusion activities that “include – but are not limited to – network reconnaissance, theft of account credentials, lateral movement via RDP, deployment of remote monitoring and management tools, and high-profile ransomware infections from LockBit,” FS-ISAC said.

“This vulnerability allows the bypass of all multi-factor authentication controls, and provides a point-and-click desktop PC within the impacted victim’s internal network via VDI – think remote desktop or RDP,” Beaumont said, latterly referring to the remote desktop protocol used to facilitate remote access to a system.

NetScaler on Monday urged any organization that has yet to patch their devices, terminate or invalidate all active sessions and review their logs for signs of prior compromise to do so immediately. “With the holidays and year-end change freezes approaching, we strongly urge NetScaler customers to follow our remediation guidance for CVE-2023-4966,” as well as best practices for securing these devices, it said.

“Essential point is: run the commands to kill active sessions,” Beaumont said.

FS-ISAC also recommends all organizations “check whether attackers left behind web shells or backdoors, and secure their systems,” regardless of when they patched, since the vulnerability was being exploited before NetScaler released a fix.

NetScaler also published recommendations to help users investigate exploits of CVE-2023-4966 inside their environment. Among other advice, it advises users “look for patterns of suspicious session use in your organizations’ monitoring and visibility tools, particularly relating to virtual desktops if you have these configured.”