A recently patched Citrix NetScaler bug (CVE-2023-4966, CVS score 9.4) is under active attack, and has been for at least two months.
Making matters worse, attackers have proven to be able to bypass Multi-Factor Authentication requirements by hijacking existing sessions that are already successfully authenticated. This means a simple patch will not be good enough to stop an active attacker. All active and persistent sessions will need to be terminated, as well.
More difficult still, there are currently no known logs or other artifacts that reside on NetScaler appliances that record evidence of exploitation. Mandiant has released a Remediation guide for this vulnerability, including investigative steps, here: https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966
If any evidence of potential exploitation are identified, a threat hunt of the internal environment is recommended after the device(s) has been patched and sessions terminated. The threat actors in play are currently unknown, but the active exploitation has been taking place across a variety of industries and governments. This news comes after another critical NetScaler zero-day vulnerability (CVE-2023-3519, CVS score 9.8) was patched in July, having been actively exploited for a month before that.
To see the Citrix bug advisory, please click here: https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
