Citrix Alerts on Global Password Spraying Campaigns Targeting NetScaler Appliances

Citrix has issued an advisory highlighting an increase in password spraying attacks aimed at NetScaler appliances worldwide. These attacks exploit authentication endpoints, causing significant operational disruptions for targeted organizations.

Unlike brute force attacks, which bombard a single account with numerous password attempts, password spraying involves trying a limited set of common passwords across multiple accounts. This method avoids account lockouts and often evades traditional detection mechanisms. According to Citrix, “These attacks are consistent with password spraying attacks and are distinct from brute force attacks.”

The advisory highlights several operational risks for organizations using NetScaler appliances:

1. Excessive Logging: The high volume of failed login attempts fills up the NetScaler ns.log file, consuming critical /var directory space and potentially disrupting GUI access.
2. CPU Overload: The surge in authentication requests can overload management CPU resources, potentially causing High Availability (HA) failover events.
3. Appliance Instability: The attacks can overwhelm the AAA module, leading to crashes in some instances.

Citrix explains: “The high number of login attempts from large password spraying attacks can overwhelm the appliance, potentially leading to service and/or operational disruption in some cases.”

These attacks primarily target historical, pre-nFactor authentication endpoints, leveraging:

• A broad range of dynamic IP addresses, making IP blocking and rate limiting ineffective.
• A high volume of authentication failures logged in systems like Gateway Insights and Active Directory.

Citrix has provided a detailed set of mitigations to reduce the impact of these attacks:

1. Enable Multi-Factor Authentication (MFA): Citrix advises configuring MFA with nFactor as the first layer of authentication to prevent unauthorized access.
2. Restrict Access with Responder Policies:
   • Block specific endpoints commonly targeted, such as /cgi/login and /p/u/doAuthentication.do.
   • Configure policies to allow requests only for the desired fully qualified domain name (FQDN).
3. Activate Web Application Firewall (WAF): Enable WAF for Gateway vServers to enhance blocking of malicious requests.
4. Utilize IP Reputation: Enable IP reputation to automatically block traffic from known malicious IPs using commands like:

   enable feature reputation
   add responder policy policy_block_malicious_ip “CLIENT.IP.SRC.IPREP_IS_MALICIOUS” DROP
   bind vpn vserver Gateway_vServer_name -policy policy_block_malicious_ip -priority 50
   -gotoPriorityExpression END -type AAA_REQUEST
5. Optimize Log Rotation: Adjust log rotation intervals to 30 minutes to prevent disk space exhaustion from excessive log entries.
6. Enable reCAPTCHA: Add reCAPTCHA to the login process to deter automated attacks.

Citrix reassures customers using Gateway Service that no remedial actions are required. The advisory specifies: “Only NetScaler/NetScaler Gateway appliances deployed on premises or in cloud infrastructure require these mitigations.”

Citrix emphasizes the importance of proactive defense measures, noting: “Requests targeting /p/u/doAuthentication.do and /p/u/getAuthenticationRequirements.do are getting blocked with a higher success rate if WAF for Gateway has been enabled.”

Related Posts:

• Critical Vulnerabilities in Citrix Virtual Apps and Desktops Actively Exploited
• Mandiant Exposes Ongoing Exploits Against Citrix Users
• Cloud Software Group Confirms CVE-2024-6387 Exposure in NetScaler
• Cisco releases patch to fix three high security bugs