Although a critical flaw in Citrix Netscaler ADC and Netscaler Gateway can be fixed, more and more cybercriminals are launching successful attack campaigns using the vulnerability.

More and more attackers are eagerly using Citrix Bleed. This is a bug that has been known since July and has the serial number CVE-2023-4966. The flaw, like a previous leak, affects Citrix NetScaler ADC and NetScaler Gateway. The following devices are vulnerable:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS older than 13.1-37.164
• NetScaler ADC 12.1-FIPS older than 12.1-55.300
• NetScaler ADC 12.1-NDcPP older than 12.1-55.300

There are still thousands of vulnerable servers exposed to the public Internet, and more than a hundred individual IP addresses are actually being attacked. According to security researcher Kevin Baeumont, more than 20,000 Netscaler servers have already been exploited.

Ransomware

These are servers from which tokens were stolen. These allow attackers to impersonate an authenticated user to steal data. The flaw allows hackers to view such tokens in memory. The tokens themselves are legitimate and will persist even after a patch. If they are stolen, repairing them is not enough. It is necessary to stop active sessions so that new authentication tokens are generated.

At least two ransomware gangs are taking advantage of the tokens and unpatched servers. There is now already a script that automates the attack. Patching is therefore essential, but not sufficient. IT administrators should look for suspicious behavior authenticated by legitimate tokens and everyone would be wise to reset sessions.