Indications of real-world exploitation: ReliaQuest researchers said that, in multiple incidents, attackers were seen hijacking active Citrix web sessions and bypassing multi-factor authentication (MFA) without requiring user credentials. The research also highlighted “session reuse across multiple IPs, including combinations of expected and suspicious IPs.”In compromised environments, attackers proceeded with post-authentication reconnaissance, issuing lightweight directory access protocol (LDAP) queries and running tools like ADExplorer64.exe to map out Active Directory structures.”Multiple instances of the “ADExplorer64.exe” tool across the environment, querying domain-level groups and permissions and connecting to multiple domain controllers, were observed,” researchers added. Additionally, many of the malicious sessions originated from consumer VPN services and data center IPs, which further obscured the attackers’ identities while maintaining persistence inside networks.Apart from applying the patches, organizations are also advised to audit external NetScaler exposure (via tools like Shodan) and implement network ACLs or access restrictions until fully patched. After successful patching, Citrix advised admins to terminate all active ICA and PCoIP sessions for an added layer of protection.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4014701/patch-now-citrix-bleed-2-vulnerability-actively-exploited-in-the-wild.html
