It has now been more than six weeks since virtualization and cloud services provider Citrix reported the existence of a particularly critical vulnerability in two of its products, NetScaler ADC and NetScaler Gateway. But, as often happens, equipped organizations are slow to apply the patches. Which delights cybercriminals of all kinds.
“Any equipment that has not been updated must be considered compromised”, has just warned the CERT-FR in an update of its alert bulletin. “It is imperative to carry out investigations without delay, based on all the recommendations provided in the various publications,” continues the government center for monitoring, alerting and responding to computer attacks attached to Anssi, the state cyber firefighter.
Over a month after Citrix advisory publication NetScaler CVE-2023-4966 exploitation attempts continue to be one of the most common attacks seen by our honeypot sensor network.https://t.co/vydiau65BH
If you are running NetScaler & did not patch initially assumes compromise. https://t.co/KLt4rpERX3 pic.twitter.com/xDJLJeMZoh
— Shadowserver (@Shadowserver) November 20, 2023
Too many instances still vulnerable
According to data from Shadowserver, a foundation dedicated to researching malicious activities, there are still around 91 vulnerable instances in France. This is much less than when the flaw was announced on October 10, when 813 instances were identified, but it is still far too many. “These are the most common attacks observed on our honeypots,” warns the foundation.
Especially since there is no shortage of evidence of active exploitation of the flaw, which allows attackers to bypass multi-factor authentication mechanisms. Cybersecurity specialist Mandiant quickly reported having identified exploitation of the vulnerability at the end of August 2023.
Boeing targeted
But we now know that this flaw was also used to hack the IT of a department of the aircraft manufacturer Boeing, dedicated to spare parts and distribution. An action later claimed by the LockBit ransomware gang, which began publishing stolen data.
Other attempts at exploitation were also observed among other victims, whose identity was not specified, reports a joint note signed in particular by the FBI and the Cisa. This American equivalent of Anssi warned 300 organizations likely to be targeted.
But as Le Mag IT notes, other recent victims of cyberattacks obviously used systems vulnerable to this flaw, such as the public sanitation service in the Ile-de-France region. Of course, we do not know if the attackers really went through this, but it is now a serious hypothesis. When in doubt, it is better to patch your systems as quickly as possible.