Citrix’s Cookie Crumble: When Appliances Bleed Data and Hackers Play Santa

Say hello to the ‘Citrix Bleed’ vulnerability exploitation, where hackers get more cookies than a Santa on a sugar rush. No sleigh? No problem. They’re bypassing multifactor protection and pilfering sensitive info with more finesse than Danny Ocean’s finest. But beware, this cyber heist leaves behind as much evidence as a ghost would—almost none.

Hot Take:

If there ever was a time you wished your appliances would just shut up and work, it’s now. Unfortunately, Citrix NetScaler ADC and Gateway appliances didn’t get the memo and decided to start bleeding sensitive information instead. Thanks to the ‘Citrix Bleed’ vulnerability, hackers are having a field day, bypassing multifactor protection and stealing cookies faster than a pre-diet Santa Claus. And with the stealthy nature of these attacks, they’re pulling off these heists smoother than Danny Ocean and his crew.

Key Points:

  • The ‘Citrix Bleed’ vulnerability is being exploited in ongoing campaigns, targeting various organizations across the globe.
  • This vulnerability allows access to sensitive information on Citrix NetScaler ADC and Gateway appliances.
  • Attackers bypass multifactor protection and steal authentication cookies.
  • The exploitation of this vulnerability leaves behind limited forensic evidence, making the attacks hard to detect.
  • Mandiant researchers have identified four threat actors using this vulnerability in their campaigns.

Need to know more?

Citrix's Bloody Mess

The 'Citrix Bleed' vulnerability became the hottest ticket in town for hackers after it was disclosed on October 10. They've been exploiting this flaw to hijack authenticated sessions and bypass multifactor protection. The method? Specially crafted HTTP GET requests that force the appliance to spill the beans - or in this case, system memory contents, including a valid Netscaler AAA session cookie. Now, that's one way to get your hands on some cookies without a trip to the cookie jar.

Stealthy Shenanigans

Investigating these attacks is like trying to find a needle in a haystack. Thanks to the limited logging on the appliances, it's hard to tell if a device has been exploited. Unless you've got some fancy web application firewalls (WAF) and other network traffic monitoring appliances in place, you're pretty much in the dark. Even after the exploitation, these sneaky attackers are good at blending in, using common administrative tools to remain undetected.

Attack of the Cookie Monsters

After exploiting the 'Citrix Bleed' vulnerability, attackers engage in network reconnaissance, stealing account credentials and moving laterally via RDP. They use a variety of tools, including Active Directory (AD) reconnaissance and internal network enumeration. If you see a sudden influx of tools like FREEFIRE, it's a clear sign of a breach. Luckily, the researchers have released a Yara rule that can help detect FREEFIRE on a device.

Post-Exploitation Party

The four threat actors identified by Mandiant all show some overlap in their post-exploitation stage. They extensively use csvde.exe, certutil.exe, local.exe, and nbtscan.exe. Unfortunately, simply applying the available security updates will not fix existing breaches, so a full incident response is required. It's a bit like trying to put out a forest fire with a water pistol – you're going to need more than just the basics.
Tags: Citrix Bleed, Credential Theft, CVE-2023-4966, Mandiant, Network Security, threat actors, Zero-day exploitation