Cyber experts and officials raise alarms about exploits against Citrix and Apache products

Several new vulnerabilities with critical severity scores are causing alarm among experts and cyber officials.

Zero-day bugs affecting products from Citrix and Apache have recently been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerability (KEV) list.

Incident responders at the cybersecurity company Rapid7 warned of hackers connected to the HelloKitty ransomware exploiting a vulnerability affecting Apache ActiveMQ, classified as CVE-2023-46604. Apache ActiveMQ is a Java-language open source message broker that facilitates communication between servers.

The incident responders said they have dealt with two situations in which HelloKitty ransomware was used after exploitation of the bug. The proof of concept exploit code is available and resembles what they saw in the two incidents they responded to, Rapid7 said.

CISA added the vulnerability to its catalog of known exploited bugs on Thursday evening, giving federal civilian agencies until November 23 to address the issue. The agency did not confirm if ransomware actors were exploiting the bug.

Apache disclosed the vulnerability and released new versions of ActiveMQ on October 25.

Experts from Huntress confirmed that they too have seen hackers exploit the vulnerability and attempt to deploy the HelloKitty ransomware.

The vulnerability carries the highest CVSS severity score of 10 out of 10.

“Exploitation for this attack is trivial,” they said, adding that the module used in attacks “works like a charm against vulnerable instances of ActiveMQ.”

Mandiant warns of ‘Citrix Bleed’

A vulnerability dubbed ‘Citrix Bleed’ is being exploited in attacks on government organizations as well as companies in the professional services and technology industries. The vulnerability allows hackers to gain access to sensitive information, according to a security bulletin from Citrix.

On October 10, Citrix said the bug — CVE-2023-4966 — impacts NetScaler ADC and NetScaler Gateway appliances.

Researchers from the cybersecurity company AssetNote have since released a proof-of-concept (PoC) exploit. The bug was rated a 9.4 out of 10 on the CVSS severity scale.

Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August.

The Google-owned cybersecurity giant is currently investigating multiple instances of successful exploitation that allowed hackers to take over NetScaler ADC and Gateway appliances.

“The Netscaler exploitation is at large scale right now,” said Timothy Morris, a security adviser at the cyber firm Tanium.

CISA added the bug to its catalog of exploited bugs last month, giving federal civilian agencies until November 8 to patch the issue.

But several cybersecurity experts warned that it was not enough to simply patch the vulnerability. Those using the products need to investigate signs of compromise. Hoxhunt CEO Mika Aalto told Recorded Future News that it is likely there are many organizations who use the affected products and haven’t performed the recommended mitigations.

The research tool ShadowServer shows that thousands of instances where the tool is used are still vulnerable to the issue as of November 2, with nearly 2,000 in North America alone. Cybersecurity expert Kevin Beaumont said at least two ransomware gangs are now attempting to exploit the vulnerability in attacks, while Mandiant found four different groups attempting exploitation.

Beaumont called for government cyber agencies to “start banging loud drums about getting orgs to patch #CitrixBleed” on the social media site Mastodon.

“People are going wild with it — it’s point and click simple access to Remote Desktop inside orgs firewalls without generating any alerts or logs,” he wrote.