Alert essentials:

In a new surge of brute-force attacks, hackers are targeting misconfigured and outdated Citrix NetScaler devices.

Ensure devices are properly configured and updated.

 

Email Team

 

Detailed threat description:

A global cybersecurity firm reports a significant increase in brute force attacks on Citrix NetScaler devices across multiple client environments in Germany. These attacks primarily originate from an unnamed provider in Hong Kong and target various client environments.

Warnings remind us that the baseline for these attacks is incredibly high on an ongoing basis. VPNs, secure gateways, and any other such devices on the public internet are consistently brute-forced. However, recent reports focus on two vulnerabilities patched in November and the tactics of these bad actors.

The attackers leverage a distributed brute force strategy, often changing IP addresses and Autonomous System Numbers (ASNs) with each attempt, making detection and mitigation challenging.

The spike in attacks on Citrix NetScaler devices underscores a broad trend of cybercriminals increasingly exploiting zero-day vulnerabilities and misconfigurations to target critical infrastructure.

NetScaler customers should patch and upgrade devices to supported releases, configure remote desktop protocol securely or disable it entirely if not needed, and monitor for anomalous activity.

 

Impacts on healthcare organizations:

Compromised NetScaler devices allow attackers to enter networks and move laterally to take over critical systems.

Once the hackers are inside, they can access sensitive patient information, and hospitals may be forced to cancel appointments, reschedule elective surgeries, and divert ambulances to other facilities.

Organizations must remain vigilant, prioritize patch management, and adopt robust monitoring solutions to safeguard against threats.

 

Affected Products / Versions:

Unpatched and outdated Citrix NetScaler devices are the highest risk, particularly versions 12.1 and 13.0, which have reached end-of-life and no longer receive security updates.

CVEs
CVE-2024-8534

  • Memory safety vulnerability- Improper access control leads to authenticated users achieving unintended access, memory corruption, and Denial of Service
    • To be vulnerable, a device must be configured as a gateway (VPN Vserver) with remote desktop protocol (RDP) enabled
    • Devices are also vulnerable if they are configured as a Gateway (VPN Vserver) and RDP Proxy Server Profile is created and set to Gateway (VPN Vserver)
    • Devices configured as an Auth Server (AAA Vserver) with RDP enabled are also vulnerable
    • Determine if an appliance is configured as one of the above by inspecting the ns.conf file

CVE-2024-8535

  • Race condition vulnerability- Potential for privilege escalation under certain circumstances
    • A device must be configured as a Gateway with KCDA account configuration for Kerberos SSO to access backend resources to be vulnerable to this flaw
    • Or if the device is configured as an Auth Server (AAA Vserver) with KCDAccount configuration for Kerberos SSO to access backend resources, it is vulnerable to CVE-2024-8535
    • Determine if an appliance is configured as one of the above by inspecting the ns.conf file

 

Indicators of Compromise (IoCs)
IP addresses and ranges implicated in the current wave of brute force attempts:
45.145.4.0/24
45.159.209.0/24
45.8.227.246
46.8.227.171
46.8.227.238
46.8.227.71
95.182.96.42
185.92.182.0/24
185.92.180.0/24
185.92.180.100
185.92.182.129
185.92.182.172
185.92.182.174
185.92.180.185
185.92.182.86
188.130.207.178
109.120.136.0/24
193.124.254.0/24
193.242.145.120
194.113.37.0/24
194.113.37.116
194.113.37.180
194.113.37.193
194.113.37.214
194.113.37.91
208.115.218.90
212.87.223.140
212.87.223.170
212.87.223.207
212.87.223.3
212.87.223.78

Usernames utilized in attacks:

Recommendations

Engineering recommendations:

  • Block High-Risk IP Ranges
    • Patch and Upgrade NetScaler Devices
    • In addition, upon upgrading to the fixed version, customers must perform these shell commands:
      • nsapimgr_wr.sh -ys call=ns_aaa_flush_kerberos_tickets
    • Provision new account credentials and ensure they are stored securely
    • Ensure the Remote Desktop Protocol (RDP) feature is configured securely
      • Disable it entirely if not needed
    • Block traffic from high-risk or unnecessary geographic locations
  • Use tools to identify spikes in failed login attempts or traffic anomalies

Leadership/ Program recommendations:

  • Many of these attacks originate from IP blocks associated with a Hong Kong-based cloud provider
  • By acting promptly, organizations can mitigate risk and maintain operational integrity

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: