[German]A few days ago, I warned in the blog post Massive wave of attacks on Citrix Netscaler gateways since 5, and 6, Dec. 2024? about a massive wave of attempted attacks on Citrix Netscaler gateways since around Dec. 5, 2024. Now the German Federal Office for Information Security (BSI) – the German CERT-Bund – is also warning of attacks on Citrix Netscaler gateways.
Advertising
The NetScaler Gateway from Citrix enables remote access from devices to the internal network and internal resources. According to this page, users can use the Citrix Gateway Service (Preview) or an on-premises NetScaler Gateway.
Attack attempts on NetScaler Gateway (December 5, 2024)
German blog reader Christian informed me on December 6, 2024 about massive attacks he had observed on his company's Citrix NetScaler Gateway on December 5, 2024. Between 5 p.m. and 10 p.m. there were massive attack attempts, probably the attackers tried to hack the accesses using random data from brute force lists. Christian had sent me the following list of standard usernames that were tried during the access attempts as a screenshot.
Christian stated that there had been over 20,000 login attempts in his company environment. These types of attacks by "probing" Citrix Netscaler Gateway instances accessible on the Internet are not new. But it is also known that this is how cyberattacks of the past began. The reader also wrote that there had also been some much more targeted attempts with domain-specific emails on the company's Citrix Netscaler Gateway.
CERT-Bund warning
In the meantime, I came across the following tweet on X and this reader comment from Stefan A. (thank you).
Advertising
The German Federal Office for Information Security (BSI) warns of exactly the scenario outlined above in the article Version 1.0: Brute-Force-Angriffe auf exponierte Systeme from December 10, 2024. The BSI is receiving more and more reports of brute force attacks against Citrix Netscaler gateways from various critical infrastructure sectors and international partners. The BSI also refers "to media reports" (which was my blog post Massive wave of attacks on Citrix Netscaler gateways since 5, and 6, Dec. 2024?) and writes that the current attacks stand out from the usual attacks of this type in terms of the reported volume.
In brute force attacks, attackers attempt to guess weak user name/password combinations with a massive number of login attempts. If attackers succeed in gaining access, they attempt to gain pertinent access at network level using a backdoor. Systems are then compromised in order to extract data and/or encrypt systems with ransomware.
Advertising
