A surge in password spray attacks targeting Citrix Netscaler devices has emerged as the latest security threat to edge networking devices and cloud platforms. This follows similar attacks on Cisco VPN devices in March and the Quad7 botnet’s exploitation of various networking devices reported by Microsoft in October.
Germany’s BSI cybersecurity agency recently issued an alert regarding numerous reports of these attacks on Citrix Netscaler gateways, particularly affecting critical infrastructure sectors. The attacks, first noticed in November, involve attempts to breach networks using brute force methods, with some targets experiencing between 20,000 to one million login attempts.
The attacks utilize various generic usernames, including:
– Common terms (test, vpn, scan)
– Service accounts (sqlservice, ldap)
– Department names (finance, sales)
– First name and email combinations
Citrix’s Response and Mitigation Strategies
Citrix has acknowledged the situation and released a security bulletin outlining several key mitigation measures:
1. Implementation of multi-factor authentication before LDAP factor
2. Creation of responder policies for FQDN authentication
3. Blocking of pre-nFactor authentication endpoints
4. Utilization of web application firewall (WAF) to block suspicious IPs
The attacks originate from multiple IP addresses, making traditional blocking methods less effective. Citrix notes that while Gateway Service customers are protected, NetScaler/NetScaler Gateway appliances deployed on-premises or in cloud infrastructure require immediate attention. These mitigations apply to NetScaler firmware versions 13.0 and above.
The attacks specifically target pre-nFactor endpoints and can potentially overwhelm devices configured for normal login volumes, leading to performance issues or system unavailability.