Citrix NetScaler devices targeted in brute force campaign

Attackers are targeting misconfigured and outdated Citrix NetScaler devices with increased levels brute force attacks.

Citrix NetScaler is a popular application delivery controller (ADC) that has become a frequent target of threat actors in recent years. In January for example, Citrix disclosed two zero-day flaws in NetScaler ADC and NetScaler Gateway products that were under active exploitation at the time.

Germany's Federal Office for Information Security (BSI) warned of increased brute force attacks against NetScaler devices in a Tuesday advisory. BSI said the reports of attacks came from various organizations in the critical infrastructure sector as well as international partners.

Word of the increased attacks first emerged last Thursday in a blog post from Cyderes, a managed security service provider based in Kansas City. Cyderes said it has observed a "significant uptick" in brute force attacks targeting misconfigured or outdated Citrix NetScaler devices. Cyderes director of managed services operations Ethan Fite wrote in the post that said attacks primarily originate from an unnamed cloud provider in Hong Kong and target multiple client environments. Moreover, the activity coincides "with recent critical vulnerability disclosures affecting Citrix NetScaler."

The blog post referenced CVE-2024-8534 and CVE-2024-8535 -- two flaws targeting NetScaler ADC and Gateway that were disclosed and patched last month -- as examples. In its advisory, Citrix described CVE-2024-8534 as a "Memory safety vulnerability leading to memory corruption and Denial of Service" (CVSS score 8.4) and CVE-2024-8535 as "Authenticated user can access unintended user capabilities" (CVSS score 5.8). Citrix parent company Cloud Software Group urged affected customers to update to install the relevant updated versions fixing these issues.

"Attackers are leveraging a distributed brute force strategy, often changing IP addresses and Autonomous System Numbers (ASNs) with each attempt, making detection and mitigation challenging," Fite wrote.

Cyderes' blog post includes a list of IP addresses and ranges associated with the threat activity, and the managed security provider recommends NetScaler users block high-risk IP ranges to reduce exposure.

Moreover, Fite said NetScaler customers should patch and upgrade NetScaler devices to supported releases, configure remote desktop protocol securely or disable it entirely if not needed, and monitor for anomalous activity.

In an email, a spokesperson for Citrix seconded Cyderes' recommendations.

"We agree with the recommendations shared in Cyderes' blog. Citrix encourages organizations to maintain their NetScalers by updating to the latest versions, applying security patches, and ensuring proper configurations," the spokesperson said.

Caitlin Condon, director of vulnerability intelligence at Rapid7, told Informa TechTarget Editorial that although the vendor hasn't observed this specific pattern of activity, brute force activity like that described in Fite's advisory have an "incredibly high" baseline.

"Rapid7 regularly investigates brute force attacks affecting customers but hasn't observed any particular patterns specifically for Citrix NetScaler devices," she said in an email. "It's worth noting, however, that the baseline for these attacks is incredibly high on an ongoing basis. VPNs, secure gateways, and any other such devices on the public internet are almost certainly going to be brute forced quickly and consistently. Defense in depth is the best policy for organizations, starting with basics like ensuring MFA is implemented -- and enforced! -- and that internet exposure is limited wherever possible."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.