Endpoint/Device Security, Patch/Configuration Management

Citrix NetScaler bug protection: Close all active sessions, says Mandiant

Citrix Systems Inc logo visible on screen.

Mandiant Consulting advised security teams that only applying the patch that was released to fix a recent Citrix NetScaler ADC and Gateway vulnerability was not enough — they need to close all active sessions to ensure that the vulnerable code is not resident in memory.   

The vulnerability — CVE-2023-4966, which is rated a critical 9.4 by Citrix — lets attackers steal the token of recently connected users, allowing the attacker to gain access to whatever resources the user has permissions to access in Citrix.

Once this happens Mandiant, now a part of Google, has observed that threat actors can perform credential harvesting, move laterally in the victim’s network via remote desktop protocol (RDP), and conduct reconnaissance of the victim’s environment. Mandiant also said it’s investigating intrusions across multiple verticals, including legal and professional services, technology, and government organizations in the Americas, Europe, the Middle East and Africa, and the Asia-Pacific and Japan regions.

“The vast majority of organizations that patched early and killed sessions will be fine,” said Charles Carmakal, chief technology officer at Mandiant Consulting. “However, certain organizations were targeted when this was a zero-day. While we don't know the motivation of the zero-day intrusion activity, we are assessing whether it's related to espionage intentions. So for organizations that are normally concerned about espionage, they should look into this more closely.” 

In an Oct. 31 blog post, Mandiant outlined the following techniques for security teams to consider to identify potential exploitation of CVE-2023-4966 and session hijacking:

  • Investigate requests to the vulnerable HTTP/S endopoint from a WAF.
  • Identify suspicious login patterns based on NetScaler logs.
  • Identify suspicious virtual desktop agent Windows Registry keys.
  • Conduct analysis of memory core dump files.

Callie Guenther, senior manager, cyber threat research at Critical Start, agreed with Mandiant that the release of a patch by Citrix is just the beginning of the response required. Here’s some recommendations from Guenther for security teams:

  • Enhanced monitoring and analysis: Since the exploitation of this vulnerability leaves limited forensic evidence, it's crucial for security teams to enhance their monitoring capabilities. This involves analyzing logs from web application firewalls (WAFs) and other network appliances that could have recorded HTTP/S requests targeting the vulnerable Citrix appliances.
  • Historical log review: Security teams should review historical logs for evidence of exploitation. This includes investigating discrepancies in source IP addresses and identifying any multiple user sessions from single IP addresses that could suggest malicious access.
  • Registry analysis on Citrix Virtual Delivery Agent (VDA): On Windows systems where Citrix VDA runs, the registry holds information that could be used to track unauthorized access. Security teams should correlate these values with ns.log entries to pinpoint suspicious activity.
  • Memory core dump analysis: For appliances that may have been compromised, memory core dump analysis is critical. Security teams should look for anomalies in memory, such as unusually long strings that indicate attempts to exploit the vulnerability.
  • Post-exploitation detection: After patching, stay vigilant for signs of post-exploitation activity. This includes network reconnaissance, credential harvesting, lateral movement, and the use of tools like Mimikatz.
  • Patching: While the patch is essential, it's not the end-all solution. Security teams need to ensure that the patch gets applied correctly and that all systems are otherwise up to date.
  • Proactive threat hunting: Since logging may not capture all instances of exploitation, proactive threat hunting is necessary. This involves looking for indicators of compromise and patterns of suspicious behavior that may indicate a breach.
  • Attribution analysis: While attribution might not prevent further attacks, understanding the tactics and techniques of the attackers can help in tailoring defenses against them.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.