Experts detail the activity of cybercriminals.
Specialists of the information security company Mandiant found active exploitation of vulnerabilities in the NetScaler ADC and Gateway systems of Citrix. The issue of CVE-2023-4966 (CVSS: 9.4) was fixed at the end of August 2023, but was not made public until October 10.
The vulnerability allowed attackers to take control of legitimate user sessions by bypassing authentication systems, including passwords and two-factor authentication (2FA). Exploitation of the vulnerability continued even after the publication of a patch from Citrix.
Mandiant analysts report cases of successful exploitation, as a result of which attackers could collect confidential information, inject malicious programs, and navigate the network using the RDP protocol. It was found that the vulnerable endpoint was detected by analyzing the firmware and creating HTTP requests with the extended Host header, which led to the disclosure of the contents of the device's system memory.
Tracking attempts to exploit the vulnerability turned out to be difficult, since server requests to it were not logged. Mandiant experts recommend using a WAF (Web Application Firewall) or similar network devices to log HTTP/S requests in order to identify exploitation attempts.
To detect unauthorized access, it is suggested to analyze WAF logs, monitor suspicious NetScaler login patterns, check Windows Registry keys, and analyze memory dump files.
After a successful hack, various post-exploitation activities were observed: exploration, collecting credentials, using various tools for access, including Mimikatz to collect information from process memory, and management and monitoring tools such as Atera, AnyDesk, and SplashTop.
The investigation affected organizations in various sectors, including the legal field, professional services, technology and government structures in the Americas, EMEA (Europe, the Middle East and Africa) and the Asia-Pacific region. Experts track the actions of four previously unregistered groups.
Mandiant also published recommendations on how to fix the vulnerability and prevent similar incidents in the future. Experts strongly recommend that customers immediately install patches and perform threat analysis as part of their incident response.
The discovery of the CVE-2023-4966 vulnerability in Citrix systems was the reason for an in-depth study of the exploitation and subsequent actions of intruders. Information from Mandiant allows you to understand the complexity of the problem and the need for a comprehensive approach to solving the security issue.
Specialists of the information security company Mandiant found active exploitation of vulnerabilities in the NetScaler ADC and Gateway systems of Citrix. The issue of CVE-2023-4966 (CVSS: 9.4) was fixed at the end of August 2023, but was not made public until October 10.
The vulnerability allowed attackers to take control of legitimate user sessions by bypassing authentication systems, including passwords and two-factor authentication (2FA). Exploitation of the vulnerability continued even after the publication of a patch from Citrix.
Mandiant analysts report cases of successful exploitation, as a result of which attackers could collect confidential information, inject malicious programs, and navigate the network using the RDP protocol. It was found that the vulnerable endpoint was detected by analyzing the firmware and creating HTTP requests with the extended Host header, which led to the disclosure of the contents of the device's system memory.
Tracking attempts to exploit the vulnerability turned out to be difficult, since server requests to it were not logged. Mandiant experts recommend using a WAF (Web Application Firewall) or similar network devices to log HTTP/S requests in order to identify exploitation attempts.
To detect unauthorized access, it is suggested to analyze WAF logs, monitor suspicious NetScaler login patterns, check Windows Registry keys, and analyze memory dump files.
After a successful hack, various post-exploitation activities were observed: exploration, collecting credentials, using various tools for access, including Mimikatz to collect information from process memory, and management and monitoring tools such as Atera, AnyDesk, and SplashTop.
The investigation affected organizations in various sectors, including the legal field, professional services, technology and government structures in the Americas, EMEA (Europe, the Middle East and Africa) and the Asia-Pacific region. Experts track the actions of four previously unregistered groups.
Mandiant also published recommendations on how to fix the vulnerability and prevent similar incidents in the future. Experts strongly recommend that customers immediately install patches and perform threat analysis as part of their incident response.
The discovery of the CVE-2023-4966 vulnerability in Citrix systems was the reason for an in-depth study of the exploitation and subsequent actions of intruders. Information from Mandiant allows you to understand the complexity of the problem and the need for a comprehensive approach to solving the security issue.
