Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

According to Mandiant, the Citrix vulnerability which specifically impacts NetScaler ADC and Gateway appliances, has been detected in the wild since late August 2023.

Citrix, a provider of NetScaler ADC and Gateway appliances, released a security bulletin on October 10, 2023, detailing a vulnerability (CVE-2023-4966) exposing sensitive information. Mandiant, a Google-owned prominent cybersecurity firm, has identified instances of both zero-day exploitation and subsequent exploitation of this vulnerability following Citrix’s disclosure.

The vulnerability specifically affects NetScaler ADC and Gateway appliances and has been observed in the wild since late August 2023, continuing after the release of the security advisory by the company.

Mandiant’s investigations revealed successful exploitation incidents, allowing threat actors to take control of legitimate user sessions on these Citrix appliances, bypassing authentication measures, including passwords and multi-factor authentication.

Mandiant’s findings shed light on factors that help in identifying exploitation activities and highlight various post-exploitation techniques witnessed during their incident response investigations.

Vulnerable Endpoints

When Citrix released firmware updates addressing CVE-2023-4966, Mandiant employed similar methods as Assetnote, an external attack surface management firm, to identify vulnerable functions and create a proof of concept (PoC). Prior to Citrix’s publication, Mandiant was already investigating session takeovers, which they believed were the result of zero-day exploitation.

With differential firmware analysis, they pinpointed the vulnerable endpoint by crafting an HTTP GET request with an extended Host header, causing a vulnerable appliance to expose system memory contents, potentially revealing a valid NetScaler AAA session cookie.

Investigation Challenges

A significant challenge in investigating these vulnerable appliances lies in the absence of request logging for the vulnerable endpoint on the appliance’s web server. Mandiant recommends relying on web application firewalls (WAF) or similar network appliances recording HTTP/S requests directed towards these NetScaler devices to identify attempted exploitations.

Techniques for Identifying Exploitation

Mandiant outlined several techniques to identify potential exploitation and subsequent session hijacking. These include scrutinizing WAF logs, identifying suspicious login patterns in NetScaler logs, checking Windows Registry keys, and analyzing memory core dump files.

Post-Exploitation Activities

Following successful exploitation, Mandiant observed several post-exploitation tactics, such as surveillance, credential harvesting, and lateral movement through RDP. Threat actors used various tools and techniques to gain access, including Mimikatz for dumping process memory and deploying remote monitoring and management (RMM) tools like Atera, AnyDesk, and SplashTop.

Victimology and Attribution

Mandiant’s investigation spans multiple sectors, including legal, professional services, technology, and government organizations in the Americas, EMEA, and APJ regions. They are tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability.

“Mandiant is currently tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability. We have observed some lower degrees of confidence overlaps in post-exploitation stages among these UNC groups, like using the same recon commands and utilities available on Windows. The common tools observed across multiple intrusions were: csvde.exe certutil.exe local.exe nbtscan.exe.”

Mandiant

Timothy Morris, Chief Security Advisor at Tanium also commented on the issue and wanted that the Netscaler exploitation is at large scale right now. “Session Hijacking” could be low risk, however, it could also be extremely high-risk, depending upon the session being hijacked,” Morris said.

“It is important that customers patch immediately and do the necessary incident response threat hunting. In other words, don’t assume that “If I patch, I’m good.” That might prevent the next exploitation attempt (i.e. repairing the broken window) but doesn’t resolve what might have already happened (i.e. who is already in the house due to the previously broken window),” added Morris.

Remediation Efforts

Mandiant published a blog post offering remediation recommendations and guidance to mitigate this vulnerability.

In conclusion, this revelation provides insights into the exploitation and post-exploitation activities resulting from the Citrix vulnerability CVE-2023-4966. Mandiant’s ongoing investigation aims to understand the intricacies of the exploit and provide comprehensive guidance for remediation.

****Editor’s note:****

The article includes limited technical details about the vulnerability, exploitation techniques, and detection methods. Please note that this is a summarization of the extensive information provided in the original blog post by Mandiant.

****RELATED ARTICLES****

1. Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
2. Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks
3. JetBrains Patches TeamCity Flaw Allowing RCE and Server Hijacking
4. iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser
5. Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird