Citrix Netscaler devices have become the focus of a growing wave of password spray attacks aimed at breaching corporate networks.
These attacks, characterized by massive login attempts, are part of a broader trend targeting edge networking devices and cloud platforms.
In March, Cisco reported similar attacks on its VPN devices, which sometimes caused denial-of-service (DoS) states. These incidents prompted the company to uncover a DDoS vulnerability that was patched in October. Meanwhile, Microsoft warned of the Quad7 botnet in October, which exploited compromised networking devices from brands like TP-Link, Asus, and Zyxel to conduct password spraying on cloud services.
Now, Germany’s BSI cybersecurity agency has issued a warning about a surge in brute force attacks against Citrix Netscaler gateways. According to reports, attackers are using these campaigns to steal login credentials and infiltrate networks across critical infrastructure sectors and beyond.
Users have reported seeing anywhere from 20,000 to over a million brute force attempts on their Citrix Netscaler devices. Attackers are cycling through a range of generic usernames such as “test,” “vpn,” “finance,” and “sales,” as well as first names, name combinations, and email addresses in an attempt to gain access.
Citrix has acknowledged the issue, releasing a security bulletin to address the escalating threat. The company noted that the attacks stem from dynamic IP addresses, which makes traditional defense strategies like IP blocking and rate limiting less effective. Citrix highlighted that these attacks often target pre-nFactor authentication endpoints—legacy URLs that are still in use for backward compatibility.
To mitigate these attacks, Citrix has recommended several actions, including enabling multi-factor authentication, restricting authentication attempts to specific domain names, and disabling unnecessary pre-nFactor endpoints. They also advised customers to use a web application firewall (WAF) to block suspicious IPs and prevent further attacks.
These mitigations, however, are only applicable to Netscaler devices deployed on-premises or in cloud environments. Customers using Citrix’s Gateway Service are not affected. Citrix has also clarified that the mitigations require Netscaler firmware version 13.0 or higher.
As attackers continue to target edge networking devices, organizations are urged to review their security configurations and implement the necessary defenses to protect their networks. The details of Citrix’s mitigation strategies can be found in their official advisory.
(via: Bleepingcomputer)
