Organizations are scrambling to respond to an active and targeted exploitation of an ongoing vulnerability in Citrix NetScaler ADC and NetScaler Gateway, which can expose users to session hijacking and other threat activity.
The Cybersecurity and Infrastructure Security Agency is asking organizations to apply the patch, hunt for malicious activity and report any positive findings back to the agency. Exploitation of the vulnerability, dubbed CitrixBleed, has escalated for several weeks, despite a patch being issued Oct. 10.
Researchers at Rapid7 are “continuing to see a steady stream of compromises” related to CitrixBleed, according to Caitlin Condon, head of vulnerability research.
“Organizations seem to be struggling to patch actively exploited vulnerabilities quickly,” Condon said via email.
Rapid7 researchers have seen activity targeting retail, healthcare and manufacturing. Investigations have shown actors engaged in both lateral movement and data access, according to Condon.
Security researcher Dominic Alvieri is reporting the threat group Lockbit is now potentially involved in exploiting CitrixBleed.
LockBit has been linked to the reported threat activity against Boeing, however it is not immediately known whether the attackers used the Citrix exploit to access Boeing data.
“We are aware of a cyber incident impacting elements of our parts and distribution business,” a Boeing spokesperson said in a statement. “This issue does not affect flight safety. We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying our customers and suppliers.”
The company last week said it was investigating the attack.
Despite a patch for the vulnerability, CVE-2023-4966, Citrix indicated on Oct. 23 that there were credible reports of session hijacking and targeted attacks.
Security researchers say the mass exploitation may be a combination of slow patch response and patches that just aren’t providing adequate protection.
“[System administrators] are probably not patching at the rate we'd need them to be to deny threat actors the opportunity to leverage this exploit,” said Dray Agha, U.K. threat operations manager at Huntress. “But it's worth noting, speculatively, that we have seen time and time again where patches are evadable and adversaries are able to identify small adjustments they need to make to their tools in order to re-exploit a flaw that we thought was patched.”
Mandiant released urgent warnings for organizations to delete all prior sessions last month, after threat actors were able to bypass the patch and previously authenticated sessions could still persist.
Mandiant observed session takeovers where the threat actors were able to bypass passwords and multifactor authentication, the incident response firm said last week.
Researchers at Palo Alto Networks Unit 42 noted earlier reports that exploitation activity included using Python scripts being distributed to ransomware affiliates for exploitation.
Palo Alto Networks researchers observed compromised users “executing reconnaissance commands and dropping additional tooling on [virtual desktop infrastructure] hosts.”