Citrix, a company known for its NetScaler ADC and Gateway appliances, recently issued a security bulletin on October 10, 2023, addressing a critical vulnerability identified as CVE-2023-4966. This security flaw has been found to expose sensitive information. Notably, cybersecurity firm Mandiant, a subsidiary of Google, has reported instances of both zero-day attacks and subsequent exploitations of this vulnerability following Citrix’s disclosure.
The vulnerability impacts explicitly NetScaler ADC and Gateway appliances and has been detected in the wild since late August 2023, persisting even after Citrix released a security advisory.
Mandiant’s investigations have uncovered successful exploitation incidents where threat actors were able to take control of legitimate user sessions on these Citrix appliances. They achieved this by bypassing authentication measures, including passwords and multi-factor authentication.
Mandiant’s findings not only shed light on factors that help in identifying exploitation activities but also highlight various post-exploitation techniques witnessed during their incident response investigations.
Vulnerable Endpoints
One significant discovery was the vulnerable endpoints. When Citrix released firmware updates to address CVE-2023-4966, Mandiant, following the methods of Assetnote, an external attack surface management firm, identified vulnerable functions and crafted a proof of concept (PoC). Even before Citrix’s disclosure, Mandiant was investigating session takeovers that they suspected resulted from zero-day exploitation.
Through differential firmware analysis, they pinpointed the vulnerable endpoint by crafting a specific HTTP GET request. This request included an extended Host header, which caused the vulnerable appliance to expose system memory contents, potentially revealing a valid NetScaler AAA session cookie.
Investigation Challenges
Mandiant outlined several techniques for identifying potential exploitation and subsequent session hijacking, including scrutinizing WAF logs, identifying suspicious login patterns in NetScaler logs, checking Windows Registry keys, and analyzing memory core dump files.
Post-Exploitation
Following successful exploitation, Mandiant observed several post-exploitation tactics. These included surveillance, credential harvesting, and lateral movement through Remote Desktop Protocol (RDP). Threat actors used various tools and techniques, including Mimikatz for dumping process memory and deploying remote monitoring and management (RMM) tools like Atera, AnyDesk, and SplashTop.
Mandiant’s investigation encompassed multiple sectors, including legal, professional services, technology, and government organizations in the Americas, EMEA, and APJ regions. They have identified four distinct uncategorized (UNC) groups involved in exploiting this vulnerability, with some overlaps in post-exploitation activities, such as the use of common recon commands and utilities available on Windows.
Timothy Morris, Chief Security Advisor at Tanium, emphasized the significance of addressing the issue promptly. Morris highlighted that “Session Hijacking” can range from low to extremely high risk, depending on the session being hijacked. He stressed the importance of both patching and incident response threat hunting to prevent future exploitation and address potential intrusions that may have already occurred.
Remediation Recommendations
Mandiant has also published a blog post offering remediation recommendations and guidance to mitigate this vulnerability. In conclusion, the revelation of the Citrix vulnerability CVE-2023-4966 sheds light on the exploitation and post-exploitation activities associated with it. Mandiant’s ongoing investigation aims to comprehend the intricacies of the exploit and provide comprehensive guidance for remediation.