Mandiant Exposes Ongoing Exploits Against Citrix Users

Experts from the cybersecurity firm Mandiant have discerned an active exploitation of a vulnerability within Citrix’s NetScaler ADC and Gateway systems. The issue, designated as CVE-2023-4966 and bearing a CVSS score of 9.4, was initially documented in late August of 2023, but its details were only disseminated publicly on the 10th of October.

This vulnerability granted malefactors the ability to intercept control of legitimate user sessions, circumventing authentication mechanisms including passwords and two-factor authentication. The exploitation persisted even after Citrix published a remedy.

Mandiant analysts have reported instances of successful exploitation, which enabled the perpetrators to amass confidential data, implant malware, and traverse the network via the Remote Desktop Protocol. The vulnerable endpoint was detected through firmware analysis and the crafting of HTTP requests with an augmented Host header, leading to the exposure of the device’s system memory contents.

Tracking attempts to exploit this vulnerability proved challenging as server requests to it were not logged. Mandiant’s experts suggest employing a Web Application Firewall or similar network devices to log HTTP/S requests to identify exploitation attempts.

To detect unauthorized access, they recommend analyzing WAF logs, monitoring for unusual login patterns to the NetScaler system, scrutinizing Windows Registry keys, and examining memory dump files.

Following successful breaches, various post-exploitation activities were observed: reconnaissance, credential harvesting, use of various access tools including Mimikatz to extract information from process memory, and command and monitoring tools such as Atera, AnyDesk, and Splashtop.

The investigation encompassed organizations across diverse sectors, including legal, professional services, technology, and governmental bodies within America, the EMEA region, and the Asia-Pacific. Experts are monitoring the activities of four previously unidentified groups.

Mandiant has also published recommendations for mitigating the vulnerability and preventing similar incidents in the future. The firm strongly advises clients to immediately install fixes and conduct threat analysis as part of incident response protocols.

The detection of CVE-2023-4966 in Citrix systems has precipitated an in-depth examination of exploitation and subsequent malevolent activities. Information from Mandiant elucidates the complexity of the issue and underscores the necessity of a comprehensive approach to security resolution.