Governments around the world are being hacked thanks to Citrix flaws

Someone’s using Citrix Bleed to go after government endpoints

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are using the Citrix Bleed vulnerability in the wild to go after endpoints in government institutions, legal organizations, and other firms across the world.

This is according to cybersecurity researcher Mandiant, who recently published a report describing at least four currently active campaigns. The campaigns allegedly started in late August this year.

The threat actors are using Citrix Bleed, tracked as CVE-2023-4966, to target NetScaler ADC, and NetScaler Gateway appliances. The vulnerability has a 9.4 vulnerability score and is being used to grab personal information such as login credentials, and to allow for lateral movement across the compromised network.

Dozens of tools

The hackers are also apparently leaving behind very little evidence, making forensics a nightmare. In its analysis, though, Mandiant said it has discovered exploitation attempts and session hijacking via WAF request analysis, Windows Registry correlation, and Memory dump inspection.

In late October, Citrix released a patch for the flaw and urged users to apply it, claiming the vulnerability was being abused in the wild.

Prior to Citrix’s reaction, both Mandiant and CISA warned about the flaw. Mandiant said hackers were probably using it to hijackauthenticationsessions and steal corporate data since August. CISA, on the other hand, wasn’t that specific, saying the vulnerability was “unknown” but “used in ransomware campaigns”.

In the meantime, someone posted a proof-of-concept on GitHub, called Citrix Bleed.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Mandiant says hackers are using a handful of tools in their attacks, including net.exe for Active Directory reconnaissance, netscan.exe for internal network enumeration, 7-zip for compressing and encrypting reconnaissance data, FREEFIRE as a .NET backdoor, and AnyDesk for remote desktop management - to name a few.

Not all of the tools are malicious by design, but in the wrong hands, they can cause quite a lot of damage.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)