Skip to Main Content
December 12, 2023

Tech Brief - Citrix Bleed Abused by Ransomware Crews

Written by Carlos Perez
Vulnerability Assessment Research

Welcome to our first brief on current events in the industry that TrustedSec believes our customers should know.

Citrix Bleed Abused by Ransomware Crews

Citrix vulnerability CVE 2023-4966 impacts Citrix NetScaler web application delivery control and NetScaler Gateway appliances. Ransomware crews are exploiting this vulnerability to attack multiple sectors. One of the most recent cases of this is an attack against Ongoing Operations, a technology provider for credit unions in the United States, allowing the attackers to move laterally to 60 credit unions.

This year, several vulnerabilities on perimeter devices have been exploited, including Citrix Bleed. This specific vulnerability allows the attacker to hijack a current session by sending an oversized request to the device, causing it to expose the error message information from memory-leaking session tokens. At TrustedSec, our experience has been that finding evidence on NetScaler devices is difficult. For 25 files per log type (as in ns.log) and 100KB in each log, the default NetScaler log rotation configuration records 2.5MB. This log size will typically not have enough room to record all the information during an investigation; often, it only lasts a couple of days or a couple of hours in high-use environments based on our investigations of similar incidents. Most organizations do not collect the logs for these devices using Syslog into a SIEM, making tracking abuse of these vulnerabilities difficult.


It is essential for organizations to work on identifying gaps in data sources for logs and to ensure that detections are being put in place for recent attacks. Given the difficulty and the risks associated with patching, it is challenging for large organizations to patch vulnerabilities within 48 hours, which is the time window before we see mass exploitation of vulnerabilities with a public proof of concept. Because of these, we recommend the following:

  • Identify gaps in log collection; two (2) of the most common gaps are network devices and client machines.
  • Develop and test detections to address attack paths to critical workflows in the organization.
  • Develop, rehearse, and improve incident response procedures for alerts triggered.
  • Ensure coordination and planning with technology providers during an event. This also includes having retainers for third parties in place to accelerate their involvement in the case of a security event.

These recommendations also apply to events like the one seen targeting multiple password vault solutions and MFA providers. Having a robust detection system and workflow that is tested often allow organization to be ready for unforeseen challenges. Many organizations are now stopping ransomware attacks in early stages, limiting the impact, and it is thanks to this approach.