I published a remote scanner for #CitrixBleed so you can check if you're vulnerable:

https://github.com/GossiTheDog/scanning/blob/main/CitrixBleed.curl

btw if Curl spits out "unsafe legacy renegotiation disabled" you need to edit /etc/ssl/openssl.cnf and add Options = UnsafeLegacyServerConnect at the end, under [system_default_sect] - Citrix Netscaler ships with an unsafe TLS implementation.

#CitrixBleed is under very wide exploitation now - over 70 IPs are hammering the whole internet per @greynoise.

This one allows full MFA bypass even after patching as sessions persist on reboot, unless you kick off existing sessions manually. So I'd suggest patching and booting people off. Instructions for resetting sessions: https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/

CitrixBleed in Citrix Netscaler/ADC is under mass exploitation. A ransomware group has distributed an exploit to their operators too.

#threatintel #mspaint
https://doublepulsar.com/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18?sk=6c6a183bfaa9f69eff86c9c25e4c2326

Quick update on #CitrixBleed - tracking just over 20k exploited Netscaler servers so far today, where session tokens have been stolen.

How? Have a honeypot running to gather data on attackers, then compare with Netflow via industry friends. Two TCP connections (first large) plus Shodan cross reference to validate Netscaler victim.

Also it turns out in March of this year somebody documented how to replay the session token to bypass MFA/login: https://www.vulnerability-db.com/?q=articles/2023/07/03/citrix-gateway-cloud-mfa-insufficient-session-validation-vulnerability

139 unique IPs are spraying internet with #CitrixBleed session token theft, which allows both credential and MFA bypass.

My write up for those who missed it:
https://doublepulsar.com/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18?sk=6c6a183bfaa9f69eff86c9c25e4c2326

Contains two details not in any other write up:

- The initial openid exploitation string isn’t logged anywhere. At all.
- The public exploit also calls GetUserName with a python user agent. If you have logs in Microsoft Sentinel, Splunk etc you can use this to hunt.

The internet got mass sprayed from Oct 24.

A fun #CitrixBleed stat is over half of orgs haven’t patched still. That includes telcos, electric companies, food companies, governments etc etc. The CISA requirement to patch in USG is in mid November.

My blog post on it has under 1000 views.

Meanwhile some IBM post about hypothetical AI phishing is *all over* LinkedIn.

Mandiant has a new blog out on #CitrixBleed which backs up a key point from my blog https://www.mandiant.com/resources/blog/session-hijacking-citrix-cve-2023-4966

The initial exploit string isn’t logged.. at all.

There’s some good hunting stuff in the blog (ICA sessions) - I’d say combine it with the GetUserName thing in my blog for assurance.

The other big take away is a ton of orgs have been compromised and don’t know yet. #threatintel

I don’t know if any CERTs/NCSCs/etc follow me by I think y’all need to start banging loud drums about getting orgs to patch #CitrixBleed.

People are going wild with it - it’s point and click simple access to Remote Desktop inside orgs firewalls without generating any alerts or logs.

The ransomware victims for #CitrixBleed are starting to arrive into multiple IR firms I’ve talked to, where the threat actors have made it to domain admin.

It’s like a party in a sweet shop where there’s too many targets vs operators so expect it to be a slow burn.

Btw if it helps anybody, one of the groups are deploying Atera in ICA/RDP sessions.

Reasons:
- Legit remote access tool. No AV or EDR alerts.
- allows remote interactive command prompt and PowerShell
- reverse proxy, works behind firewall

So you take over a session, install that, and then disconnect. You then have persistent access to endpoint after patching of Netscaler.

Ransomware groups are basically a cheaper and better managed MSP.

Looping this in to this thread - a few days ago I wrote another blog about this.

“LockBit ransomware group assemble strike team to breach banks, law firms and governments.”

Since publishing multiple ransomware groups have joined in. They are stealing data and extorting organisations.

https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee