Massive wave of attacks on Citrix Netscaler gateways since 5, and 6, Dec. 2024?

[German]A quick question or information for the readers of the blog who use Citrix Netscaler Gateways. Were you able to observe a massive increase in attack attempts on these instances yesterday evening? A blog reader has just informed me about a corresponding observation by e-mail (thanks for the info).

The NetScaler Gateway from Citrix enables remote access from devices to the internal network and internal resources. According to this page, users can use the Citrix Gateway Service (Preview) or an on-premises NetScaler Gateway.

Attack attempts on NetScaler Gateway

German blog reader Christian is responsible for a Citrix NetScaler Gateway in a company I know. In his email, he wrote that there were massive attacks on Citrix Netscaler gateways at his company yesterday (December 5, 2024) between 5:00 pm and 10:00 pm. The attackers tried to hack the accesses using random data from brute force lists. Christian sent me the following list of standard user names that were tried during the access attempts as a screenshot.

The attackers then try these usernames as well as a number of commonly known passwords. Christian states that there have been over 20,000 login attempts in his company environment. An IT colleague has also seen several thousand login attempts.

These types of attacks by "probing" Citrix Netscaler Gateway instances accessible on the Internet are not new. But it is also known that this is how the cyberattacks of the past began. The reader also writes that there have also been some much more targeted attempts with domain-specific emails on the Citrix Netscaler Gateway of the company I know. For example, the term "Baustoffzentrum" (related to the company) was also attempted as a user name when logging in. Other German blog readers confirmed this observations in the comments here.

On the one hand, I am posting the information here in the blog as a warning – anyone running Citrix Netscaler Gateway instances should perhaps take a look at the log files. Netscaler Gateway accesses with easily guessable names such as those in the list above are particularly critical. An account with numbers or special characters in the user name will at least (if not trivial like user2) make this type of attack more difficult. I am also interested to know whether other blog readers are currently experiencing similar problems?