Governments around the world are being hacked thanks to Citrix flaws

password manager security
(Image credit: Passwork)

Hackers are using the Citrix Bleed vulnerability in the wild to go after endpoints in government institutions, legal organizations, and other firms across the world. 

This is according to cybersecurity researcher Mandiant, who recently published a report describing at least four currently active campaigns. The campaigns allegedly started in late August this year. 

The threat actors are using Citrix Bleed, tracked as CVE-2023-4966, to target NetScaler ADC, and NetScaler Gateway appliances. The vulnerability has a 9.4 vulnerability score and is being used to grab personal information such as login credentials, and to allow for lateral movement across the compromised network. 

Dozens of tools

The hackers are also apparently leaving behind very little evidence, making forensics a nightmare. In its analysis, though, Mandiant said it has discovered exploitation attempts and session hijacking via WAF request analysis, Windows Registry correlation, and Memory dump inspection.

In late October, Citrix released a patch for the flaw and urged users to apply it, claiming the vulnerability was being abused in the wild. 

Prior to Citrix’s reaction, both Mandiant and CISA warned about the flaw. Mandiant said hackers were probably using it to hijack authentication sessions and steal corporate data since August. CISA, on the other hand, wasn’t that specific, saying the vulnerability was “unknown” but “used in ransomware campaigns”.

In the meantime, someone posted a proof-of-concept on GitHub, called Citrix Bleed.

Mandiant says hackers are using a handful of tools in their attacks, including net.exe for Active Directory reconnaissance, netscan.exe for internal network enumeration, 7-zip for compressing and encrypting reconnaissance data, FREEFIRE as a .NET backdoor, and AnyDesk for remote desktop management - to name a few. 

Not all of the tools are malicious by design, but in the wrong hands, they can cause quite a lot of damage. 

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.