FortiGuard Outbreak Alert: Citrix Bleed

kcheung · ‎02-21-2024

Description

This article describes the Citrix Bleed Attack coverage with FortiNDR Cloud. CVE-2023-4966 (also known as Citrix Bleed)
is a vulnerability is a buffer overflow attacks on Citrix NetScaler Application

CVE ID   

CVE-2023-4966 (https://nvd.nist.gov/vuln/detail/CVE-2023-4966)

NDR Cloud Detection Rule

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: Citrix ADC and NetScaler Gateway Information	Attack: Installation	T1071 - Application Layer Protocol

Playbook

Playbook: Citrix Bleed Attack (CVE-2023-4966)

This playbook identifies activity related to the Citrix Bleed (CVE-2023-4966) exploitation. Citrix Bleed is being widely exploited, with multiple threat actors, including ransomware groups, targeting internet-accessible NetScaler ADC and Gateway instances. After exploiting CVE-2023-4966, the attackers may engage in network reconnaissance, stealing account credentials and moving laterally via RDP. The exploit is done by sending an HTTP request with a very large hostname set.

Threat hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Citrix Bleed” related activities
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=Citrix%20Bleed%20Attack

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below
2048931 -> ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)
2048932 -> ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure - Successful Response (CVE-2023-4966)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/citrix-bleed-attack

FortiGuard Outbreak Alert: Citrix Bleed

You are leaving our website