Citrix shares mitigations for ongoing Netscaler password spray attacks

Citrix Netscaler is the latest target in widespread password spray attacks targeting edge networking devices and cloud platforms this year to breach corporate networks.

In March, Cisco reported that threat actors were conducting password spray attacks on the Cisco VPN devices. In some cases, these attacks caused a denial-of-service state, allowing the company to find a DDoS vulnerability they fixed in October.

In October, Microsoft warned that the Quad7 botnet was abusing compromised TP-Link, Asus, Ruckus, Axentra, and Zyxel networking devices to perform password spray attacks on cloud services.

Earlier this week, Germany’s BSI cybersecurity agency warned of numerous reports that Citrix Netscaler devices are now targeted in similar password spray attacks to steal login credentials and breach networks.

„The BSI is currently receiving increasing reports of brute force attacks against Citrix Netscaler gateways from various KRITIS sectors and from international partners,“ the BSI said.

News of the attacks was first reported by Born City last week, whose readers stated they had begun to experience brute force attacks on their Citrix Netscaler devices starting in November and continuing into December.

Some of the readers reported receiving between 20,000 to a million attempts to brute force the account credentials using a variety of generic user names, including the following:

test, testuser1, veeam, sqlservice, scan, ldap, postmaster, vpn, fortinet, confluence, vpntest, stage, xerox, svcscan, finance, sales.
Other user names seen in the password spray attacks include first names, first.lastname pairs, and email addresses.

Citrix releases advisory
Today, Citrix released a security bulletin warning of the uptick in password spray attacks on Netscaler devices and provided mitigations on how to reduce their impact.

„Cloud Software Group has recently observed an increase in password spraying attacks directed at NetScaler appliances. These attacks are characterized by a sudden and significant increase in authentication attempts and failures, which trigger alerts across monitoring systems, including Gateway Insights and Active Directory logs. The attack traffic originates from a broad range of dynamic IP addresses, making traditional mitigation strategies such as IP blocking and rate limiting less effective.

Customers using Gateway Service don’t need to take any remediating measures. Only NetScaler/NetScaler Gateway appliances deployed on premises or in cloud infrastructure require these mitigations.“

❖ Citrix
Citrix says the password spray attacks are originating from a broad range of IP addresses, making it difficult to block these attempts using IP blocking or rate limiting.

The company further warned that a sudden, large rush of authentication requests could overwhelm Citrix Netscaler devices that are configured for a normal login volume, leading to increased logging and causing devices to become unavailable or have performance issues.

Citrix says that in the attacks they observed, the authentication requests targeted pre-nFactor endpoints, which are historical authentication URLs used for compatibility with legacy configurations.

The company has shared a series of mitigations that can reduce the impact of these attacks, including:

Ensuring multi-factor authentication is configured before the LDAP factor.
As the attacks are targeting IP addresses, Citrix recommends creating a responder policy so that authentication requests are dropped unless they attempt to authenticate against a specified Fully Qualified Domain Name (FQDN).
Block Netscaler endpoints associated with pre-nFactor authentication requests unless they are necessary for your environment.
Utilize the web application firewall (WAF) to block IP addresses with a low reputation caused by previous malicious behavior.
Citrix says that customers using Gateway Service do not need to apply these mitigations, as they are only for NetScaler/NetScaler Gateway devices deployed on premise or in the cloud.

The company says that the mitigations are also only available to NetScaler firmware versions greater than or equal to 13.0.

More details instructions on how to apply these mitigations can be found in Citrix’s advisory.

Lawrence Abrams