Mandiant has advised security teams that only applying the patch that was released to fix a recent Citrix NetScaler ADC and Gateway vulnerability was not enough they need to close all active sessions to ensure that the vulnerable code is not resident in memory.
The vulnerability CVE-2023-4966, which is rated a critical 9.4 by Citrix, lets attackers steal the token of recently connected users, allowing the attacker to gain access to whatever resources the user has permissions to access in Citrix.
Mandiant is observing that threat actors can perform credential harvesting, move laterally in the victim’s network via RDP, and conduct reconnaissance of the victim’s environment. Mandiant also said it’s investigating intrusions across multiple verticals, including legal and professional services, technology, and government organizations in the Americas, Europe, the Middle East and Africa, and the Asia-Pacific and Japan regions.
Mandiant in its blogspot outlined the following techniques for security teams to consider to identify potential exploitation of CVE-2023-4966 and session hijacking:
- Investigate requests to the vulnerable HTTP/S endopoint from a WAF.
- Identify suspicious login patterns based on NetScaler logs.
- Identify suspicious virtual desktop agent Windows Registry keys.
- Conduct analysis of memory core dump files.
Recommendation from security experts
- Enhanced monitoring and analysis
- Historical log review
- Registry analysis on Citrix Virtual Delivery Agent
- Memory core dump analysis
- Post-exploitation detection
- Patching
- Proactive threat hunting
- Attribution analysis
