A significant increase in brute-force attacks targeting outdated and misconfigured Citrix NetScaler devices has been observed in Germany, prompting warnings from cybersecurity experts and organizations, including CERT Germany and the German Federal Office for Information Security (BSI).
Citrix NetScaler devices have been a frequent target for cybercriminals. The recent spike in brute-force attacks follows the disclosure and exploitation of two zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway earlier this year, underscoring the platform’s continued susceptibility to attacks.
The BSI has issued an official warning regarding the growing number of password-guessing attacks targeting NetScaler devices. Reports of these incidents have emerged from organizations operating within critical infrastructure sectors, as well as from international partners, raising concerns about potential disruptions to essential services.
Cybersecurity firm Cyderes was the first to identify the significant increase in attacks targeting outdated or improperly configured NetScaler devices. The attacks originate from an unnamed cloud service provider in Hong Kong and impact a diverse range of client environments. This surge in activity coincides with recent reports of critical vulnerabilities affecting Citrix NetScaler products.
Cyderes specifically highlighted the following vulnerabilities, which were disclosed and patched in November:
- CVE-2024-8534 (CVSS 8.4): This vulnerability can lead to memory corruption and denial-of-service (DoS) conditions, potentially disrupting critical services.
- CVE-2024-8535 (CVSS 5.8): This vulnerability allows an authenticated user to access unintended functionality, potentially enabling unauthorized access to sensitive data or systems.
Citrix has strongly urged customers to apply the necessary updates immediately to mitigate these risks.
Cyderes experts have observed that attackers are employing a distributed brute-force strategy, frequently changing IP addresses and ASN numbers to evade detection and complicate mitigation efforts. This tactic makes it challenging to block attacks based on specific IP addresses or networks.
To combat these attacks, Cyderes recommends the following measures:
- Block High-Risk IP Ranges: Blocking known malicious or high-risk IP ranges can significantly reduce the likelihood of compromise.
- Update NetScaler Devices: Updating to supported versions and applying all available patches is crucial for addressing known vulnerabilities.
- Securely Configure or Disable Remote Access: If remote access is not necessary, it should be disabled. If required, it should be securely configured with strong passwords, multi-factor authentication, and strict access controls.
- Monitor for Suspicious Activity: Regularly monitoring logs and network traffic for suspicious activity can help detect and respond to attacks promptly.
Citrix has endorsed these recommendations, emphasizing the critical importance of timely updates and proper device configuration.
Related Posts:
- Critical Vulnerabilities in Citrix Virtual Apps and Desktops Actively Exploited
- Mandiant Exposes Ongoing Exploits Against Citrix Users
- Google’s TAG Disrupts Russian Cyber Campaigns Targeting Ukraine
- Vulnerable Microsoft SQL Server are being targeted by hackers
- Cloud Software Group Confirms CVE-2024-6387 Exposure in NetScaler
