Two bugs in Citrix technology are drawing serious attention this week from the Cybersecurity and Infrastructure Security Agency.
CISA says federal agencies much patch one of the vulnerabilities — tagged as CVE-2023-6548 — by January 24. It’s one of the rare times the cyber agency has put a remediation date of less than three weeks on a vulnerability.
CISA did not respond to requests for comment about why the remediation timeline was shorter than most.
The other bug — listed as CVE-2023-6548 — must be fixed by February 7. CISA’s alerts are aimed at federal agencies but often serve as general warnings for the public.
Several new vulnerabilities with critical severity scores are causing alarm among experts and cyber officials.
Zero-day bugs affecting products from Citrix and Apache have recently been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerability (KEV) list.
Incident responders at the cybersecurity company Rapid7 warned of hackers connected to the HelloKitty ransomware exploiting a vulnerability affecting Apache ActiveMQ, classified as CVE-2023-46604. Apache ActiveMQ is a Java-language open source message broker that facilitates communication between servers.
Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of writing, more than 1900 NetScalers remain backdoored. Using the data supplied by Fox-IT, the Dutch Institute of Vulnerability Disclosure has notified victims.
At the start of 2022, CrowdStrike Intelligence and CrowdStrike Services investigated an incident in which PROPHET SPIDER exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to compromise a Microsoft Internet Information Services (IIS) web server. The adversary exploited the vulnerability to deploy a webshell that enabled the downloading of additional tools. This incident highlights how PROPHET SPIDER continues to evolve their tradecraft while continuing to exploit known web-server vulnerabilities.