Citrix NetScaler Devices Under Attack

A significant surge in brute-force attacks targeting Citrix NetScaler devices across multiple organizations.

The attacks, primarily originating from a Hong Kong-based cloud provider, are exploiting misconfigured and outdated systems, coinciding with recent critical vulnerability disclosures affecting Citrix NetScaler.

The attacks have spiked in proximity to newly disclosed vulnerabilities, particularly CVE-2024-8534 and CVE-2024-8535, identified in November 2024.

SIEM as a Service

CVE-2024-8534 – is a memory safety vulnerability that can lead to memory corruption and denial of service.

CVE-2024-8535 – allows authenticated users to access unintended user capabilities due to a race condition.

Ethan Fite, director of managed services operations at Cyderes, reported that attackers employ a distributed brute-force strategy, frequently changing IP addresses and Autonomous System Numbers (ASNs) with each attempt. This tactic makes detection and mitigation particularly challenging for security teams.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The German Federal Office for Information Security (BSI) has also warned about increased brute-force attacks against NetScaler devices, with reports coming from various organizations in the critical infrastructure sector and international partners.

Here’s a table containing the IP addresses associated with the brute-force attacks:

IP Address
45.145.4(.)0/24
45.8.227(.)246
212.87.223(.)3
185.92.182(.)129
185.92.180(.)100
185.92.180(.)185
185.92.182(.)172
185.92.182(.)0/24
185.92.180(.)0/24
194.113.37(.)91
185.92.182(.)174
185.92.182(.)86
46.8.227(.)238
46.8.227(.)171
194.113.37(.)0/24
212.87.223(.)207
194.113.37(.)116
212.87.223(.)170
45.159.209(.)0/24
194.113.37(.)214
212.87.223(.)78
194.113.37(.)193
46.8.227(.)71
188.130.207(.)178
193.242.145(.)120
194.113.37(.)180
212.87.223(.)140
95.182.96(.)42
109.120.136(.)0/24
193.124.254(.)0/24
208.115.218(.)90

This table lists all the IP addresses and IP ranges associated with the recent brute-force attacks targeting Citrix NetScaler devices. These addresses should be monitored and potentially blocked to mitigate the risk of attacks.

To mitigate these threats, cybersecurity experts recommend several immediate actions:

  1. Block high-risk IP ranges, particularly those associated with the Hong Kong-based cloud provider.
  2. Patch and upgrade NetScaler devices to the latest supported versions, especially addressing CVE-2024-8534 and CVE-2024-8535.
  3. Validate configurations, ensuring secure setup of the Remote Desktop Protocol (RDP) feature or disabling it if unnecessary.
  4. Implement geographic blocking for high-risk or operationally unnecessary locations.
  5. Monitor for anomalous activity, such as spikes in failed login attempts or traffic irregularities.

Citrix has released security updates to address these vulnerabilities in NetScaler ADC and NetScaler Gateway versions 14.1-29.72, 13.1-55.34, 13.1-FIPS 13.1-37.207, 12.1-FIPS 12.1-55.321, and 12.1-NDcPP 12.1-55.321. However, versions 12.1 and 13.0, which have reached end-of-life status, remain vulnerable.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert regarding these vulnerabilities, emphasizing that threat actors could potentially exploit them to take control of affected systems.

As the situation continues to evolve, organizations using Citrix NetScaler devices are strongly urged to take immediate action to secure their systems and prevent potential breaches.

The ongoing attacks underscore the critical importance of maintaining up-to-date security measures and remaining vigilant against emerging threats in the ever-changing cybersecurity landscape.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.