Citrix warns admins to kill NetScaler user sessions to block hackers – RedPacket Security>
RedPacketSec –
RedPacketSec
Citrix advises administrators to take additional steps besides patching their NetScaler appliances to secure them against the ‘Citrix Bleed’ vulnerability.
Admins are urged to wipe all previous user sessions and terminate active ones, as attackers exploiting Citrix Bleed have been stealing authentication tokens, granting access even after patching.
The vulnerability, active since at least late August 2023, allows compromised sessions to persist after patching, enabling lateral movement across networks or compromising other accounts based on compromised account permissions.
Citrix also warned customers to remove active or persistent sessions using specific commands following the upgrade.
The LockBit ransomware gang is reported to be exploiting the Citrix Bleed flaw, with CISA, FBI, MS-ISAC, and ACSC cautioning about its exploitation.
Boeing reported that LockBit breached its network using the exploit, leading to data theft and leakage on the dark web.
CISA analyzed files showing attempts to establish sessions via WinRM related to the vulnerability.
Over 10,000 Internet-exposed Citrix servers were vulnerable to the Citrix Bleed attacks.
Link: https://www.redpacketsecurity.com/citrix-warns-admins-to-kill-netscaler-user-sessions-to-block-hackers/