Article contributed by Ethan Fite
In recent weeks, Cyderes has observed a significant uptick in brute force attacks targeting Citrix NetScaler devices, across multiple client environments.
These attacks, emanating primarily from a cloud provider based in Hong Kong, exploit misconfigured or outdated systems. They coincide with recent critical vulnerability disclosures affecting Citrix NetScaler, underscoring the urgent need for organizations to act decisively to protect their infrastructure.
Overview of the Threat
Attackers are leveraging a distributed brute force strategy, often changing IP addresses and Autonomous System Numbers (ASNs) with each attempt, making detection and mitigation challenging.
Notably, attacks appear to spike in proximity to new vulnerability disclosures, such as the ones identified in November 2024:
CVE-2024-8534: Improper access control leading to authenticated users gaining unintended access.
CVE-2024-8535: Potential for privilege escalation under specific conditions.
These vulnerabilities have been detailed by Citrix in their security bulletin, and should serve as a catalyst for immediate action by affected organizations.
IP Blocks Associated with Attacks
Below is a list of IP addresses and ranges implicated in the current wave of brute force attempts:
45.145.4.0/24
45.8.227.246
212.87.223.3
185.92.182.129
185.92.180.100
185.92.180.185
185.92.182.172
185.92.182.0/24
185.92.180.0/24
194.113.37.91
185.92.182.174
185.92.182.86
46.8.227.238
46.8.227.171
194.113.37.0/24
212.87.223.207
194.113.37.116
212.87.223.170
45.159.209.0/24
194.113.37.214
212.87.223.78
194.113.37.193
46.8.227.71
188.130.207.178
193.242.145.120
194.113.37.180
212.87.223.140
95.182.96.42
109.120.136.0/24
193.124.254.0/24
208.115.218.90
Recommended Actions
To counteract these threats, Cyderes recommends the following proactive measures:
1) Block High-Risk IP Ranges
Many of these attacks originate from IP blocks associated with the Hong Kong-based cloud provider. Blocking these ranges via firewalls or network policies can reduce exposure. A comprehensive list of IP ranges is available at IPInfo.
2) Patch and Upgrade NetScaler Devices
- If you are running an End-of-Life (EoL) version of NetScaler, upgrade immediately to a supported release. Neglected deployments are common, but they remain highly vulnerable.
- For supported versions, apply the latest security patches, especially those addressing CVE-2024-8534 and CVE-2024-8535.
3) Validate Configurations
- Ensure that the Remote Desktop Protocol (RDP) feature is configured securely. Disable it entirely if not needed.
- Regularly review access control policies and user authentication mechanisms.
4) Implement Geographic Blocking
5) Monitor for Anomalous Activity
Use tools to identify spikes in failed login attempts or traffic anomalies. Attackers are using sophisticated tactics, including shifting ASNs and IPs.
6) Engage with Cyderes
Cyderes can assist in implementing architectural changes, monitoring ongoing attacks, and providing expert advice on hardening your NetScaler deployments.
Conclusion
Brute force attacks and vulnerability exploitation campaigns are a persistent threat, particularly against neglected or unpatched systems. These attacks highlight the importance of staying vigilant in monitoring, patching, and securing your infrastructure. By acting promptly, organizations can mitigate risk and maintain operational integrity.
Cyderes is committed to helping clients navigate these complex threats. If you need assistance securing your NetScaler devices or defending against other sophisticated cyberattacks, contact us today.
Ready to put these insights into practice and improve your ongoing security posture?
For more cybersecurity tips, follow Cyderes on LinkedIn and X.
