Lockbit ransomware uses vulnerability within netscaler.
Lockbit ransomware uses vulnerability within netscaler.
Summary
Lockbit is actively using a vulnerability within Citrix NetScaler called CitrixBleed CVE-2023-4966. Citrix released a patch for the vulnerability on 10th of October, however the vulnerability is still exploitable because the session token persists.
The exploit gives access to the memory of the device which gives access to the session tokens on the compromised device, this allows access to accounts without the requirement of multifactor authentication.
Attackers scan the internet by using the publicly availably Shodan website to find any NetScaler that is available, then they send a command to perform a brute force sending multiple characters the same time, then the NetScaler will reply with sending the system memory.
Affected products:
- NetScaler ADC
- NetScaler Gateway
Security recommendations
Researcher Kevin Beaumont has released a command to check if an attacker has performed an attack using the mentioned request, link.
NetScaler has also released security recommendations. They released a patch but also advise to perform a reset of the persistent sessions by using the following commands:
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- kill aaa session -all
- clear lb persistentSessions
More information provided by NetScaler can be find here.