Citrix Flaws Is Enabling Hackers to Go After Government Endpoints

Citrix flaws is enabling hackers to go after government endpoints. Governments all over the globe are being hacked at the moment all thanks to the flaws of Citrix. Someone out there is now making use of Citrix Bleed to go after government endpoints.

Citrix Flaws Government Endpoints

Citrix Flaws Government Endpoints

Hackers are at the moment making use of Citrix Bleed vulnerability in the wild to go after endpoints in several government institutions, legal organizations, and firms, as well as other companies across the globe.

This news is according to Mandiant, a cybersecurity researcher who just recently published a report describing at least four present active campaigns. The campaigns in question allegedly started in late August of this very year.

The threat actors as you should know are making use of Citrix Bleed, tracked as CVE-2023-4966, to help target NetScaler ADC and NetScaler Gateway appliances. The vulnerability in question that is being tracked has a 9.4 vulnerability score and it is being used to get personal information such as login credentials and to also allow for lateral movement across the compromised network.

The Hackers Are Apparently Leaving Behind Very Little Pieces of Evidence

The hackers in question are also apparently leaving behind very few pieces of evidence, thus making forensics quite a nightmare. Mandiant in its analysis, though, stated that it has discovered exploitation attempts as well as session hijacking through WAF request analysis, Windows Registry correlation, as well as Memory dump inspection.

Citrix in the latter parts of October released a patch for the said flaw and then urged users to apply it, reportedly claiming that the vulnerability was being abused in the wild.

Mandiant and CISA Have Warned About the Flaw

Prior to the reaction of Citrix, both Mandiant and CISA had warned about the flaw. Mandiant stated that hackers were probably making use of it to hijack authentication sessions and then steal corporate data since the month of August. CISA, on the other hand, was not that specific in its analytics, thus stating that the vulnerability was “unknown” but “used in ransomware campaigns”.

And in the meantime, someone posted a proof-of-concept on GitHub, known as Citrix Bleed.

Tools Used By the Hackers in Their Attacks

Mandiant has stated that hackers are making use of a handful of tools in their attacks, and this is including net.exe for Active Directory reconnaissance, netscan.exe for internal network enumeration, 7-zip for compressing as well as encrypting reconnaissance data, FREEFIRE as a .NET backdoor, and then AnyDesk for remote desktop management, just to name a few.

You should however know that not all of the tools are malicious by design, but if found in the wrong hands, they can cause quite a whole lot of damage.



Please enter your comment!
Please enter your name here