1Y0-231 approach - Deploy and Manage Citrix ADC 13 with Citrix Gateway Updated: 2024

The vulnerability’s name has been popping up over the past couple months in reports on key sectors. According to a post from cybersecurity researcher Kevin Beaumont, this flaw may be behind the cyber attack that disrupted swathes of credit unions earlier this week. The credit unions’ technology vendor Ongoing Operations was hit with ransomware and had failed to patch the vulnerability, he wrote. Ongoing Operations declined to confirm to Government Technology whether Citrix Bleed had been exploited.

But the health-care sector is also raising warnings. Industry group the American Hospital Association urged its membership recently to patch and defend against the vulnerability. Its message amplified the federal Health Sector Cybersecurity Coordinating Center (HC3)’s own alert. Ransomware actors also exploited it in an attack on airplane giant Boeing.

Advisory authors include the Cybersecurity and Infrastructure Security Agency, FBI, Multi-State Information Sharing and Analysis Center and Australia’s lead cybersecurity agency, the Australian Signals Directorate’s Australian Cyber Security Centre.

At least one group of threat actors has been identified exploiting Citrix Bleed: affiliates deploying LockBit 3.0 ransomware. LockBit affiliates have in the past targeted organizations in critical infrastructure sectors, including government and emergency services, health care, financial services, energy, education, food and agriculture, manufacturing and transportation, per the joint advisory.

The flaw is also relatively easy to exploit and so is likely to be widely exploited “in unpatched software services throughout both private and public networks,” per the advisory.

To respond, organizations should adopt updates, as well as search for evidence of compromise (and then take appropriate responses) as well as adopt other mitigation steps outlined in the joint advisory.

Citrix released the patch in early October, but attackers are known to have been exploiting it since August 2023.

“The manufacturer has also warned that these compromised sessions will still be active after a patch has been implemented,” HC3 wrote.

As such, HC3 advised not only updating but also using certain commands to remove “any active or persistent sessions.” The commands are below:

• kill aaa session -all

• kill icaconnection -all

• kill rdp connection -all

• kill pcoipConnection -all

• clear lb persistentSessions

Citrix Systems prepared for Tuesday's opening of its annual Citrix iForum application delivery conference, held this week in Las Vegas, with the introduction of its desktop virtualization strategy, the renaming of its server virtualization technology, and the introduction of new voice, compliance, and "green" features to its core NetScaler and Presentation Server applications.

The desktop and server virtualization moves come as a result of Citrix's mid-August move to acquire XenSource for $500 million. That acquisition closed Monday, said Wes Wasson, senior vice president and chief marketing officer of Citrix.

Citrix plans to combine existing Citrix and XenSource technology to launch XenDesktop, a desktop virtualization software, during the first half of 2008, Wasson said.

While there is already other desktop virtualization software in the market, such as the Virtual Desktop Infrastructure (VDI) from VMware, XenDesktop is taking a different approach, Wasson said.

XenDesktop lets solution providers build virtual desktop PCs, but without the applications, Wasson said. Instead, the applications are kept as separate products in separate locations, and delivered to the virtual desktop PCs.

"VMware will tell you to give them your desktop with the applications, and they'll put it in a virtual machine," he said. "But we scratch our heads and say, that's just moving the existing problems from the desktop to the data center."

By separating the applications and their delivery from the virtual desktops, the result is fewer software conflicts and less chance of corrupting files, Wasson said. "We deliver the desktop so it can run in a virtual machine," he said. "It's best used for delivering applications like we do with Presentation Server and NetScaler."

Citrix on Monday also rebranded its XenSource line as Citrix XenServer, Wasson said. Nothing else has changed, including the price and Citrix's relationship with XenSource channel partners, he said.

There are about 350 XenSource VARs, all of whom are automatically certified for Citrix XenServer, Wasson said. In addition, about 70 percent of Citrix's 5,000 channel partners worldwide currently sell server virtualization software from rival VMware.

Wasson said he does not want his company's channel partners to change their VMware relationship. But he does want them to try XenServer. "We'll be offering a jump start program to get them selling XenServer quickly," he said. "If they sell VMware, they'll keep selling it. But many will also be impressed with XenServer."

Peter Anderson, president of Bayshore Technologies, a Tampa, Fla.-based Citrix solution provider, said he is very excited to see Citrix embrace server and desktop virtualization.

"We carry VMware, but we think the market is huge," Anderson said. "In the next couple of years, Dell, Hewlett-Packard, and IBM all will come out with virtualization."

Anderson said he sees a big potential market for virtual desktop PCs. "Virtualization's main advantage is management," he said. "This will take a lot of the stress out of desktop management. We'll be able to send out changes easier. And control is a huge issue. We like the idea of not touching the desktop."

Donnie Downs, president of Plan B Technologies, a Bowie, Md.-based Citrix solution provider, said there are a lot of customers buying into Citrix's application delivery message who will be glad to see it married to virtualization.

"Microsoft people will say, you can do this with [Microsoft] Terminal Server, and you don't need Citrix," Downs said. "Or at VMware, they'll say, yeah, you can do without Citrix. Now with XenServer, you can say, yeah, you can do it all with Citrix."

However, Downs said, bringing XenDesktop to market is not as easy as it sounds. "We need to see how it is presented," he said. "There has been a lot of confusion with things like portals and the ASP model. But customers really need virtual desktops for rapid application deployment and ease of management.

NEXT: How it stacks up against competitors

Mike Strohl, president of Entisys Solutions, a Concord, Calif.-based Citrix solution provider, said that companies like VMware are already virtualizing desktop PCs.

"But Citrix not only provides the OS level of virtualization, it also has the technology to stream applications to the virtual desktops," Strohl said. "And with Desktop Broker, they have the delivery aspect handled as well. Citrix has the experience to handle all the related dynamics."

In addition to unveiling its desktop and server virtualization strategy, Citrix on Monday also introduced three new add-ons to its current software lineup.

The first is EasyCall, a simple way to integrate communications into Citrix's NetScaler for web applications and Presentation Server for Windows applications.

With EasyCall, whenever the user passes the mouse cursor over a telephone number, that number is highlighted, and can be automatically dialed from within the application, Wasson said.

EasyCall can be integrated into any application, including Office applications and Web-based applications, Wasson said. It works with any phone system, including POTS (Plain Old Telephone System), PBX, and Voice over IP, making it ideal for telephone call centers, he said.

Users can not only set it to automatically dial out a highlighted number, it can also be programmed to dial from a specific phone, Wasson said. "This is great for mobile users," he said. "In a hotel, if you click on a phone number, it will make the call using the hotel phone number, but the call is actually originated from the corporate phone system. So the company is charged, not the hotel."

Downs said EasyCall could have big implications for large call centers. And for other customers, it offers a chance to talk to departments that solution providers may have not had access to before. "With EasyCall, I can go to a completely different part of the customer with this communications ability," he said.

On the compliance side, Citrix on Monday is introducing SmartAuditor to its Presentation Server.

SmartAuditor automatically records a user's session based on company policies which can specify users, applications, and time of day. The session recordings are then time-stamped and stored for later playback for compliance audits, Wasson said.

For instance, SmartAuditor can be set to record the sessions of certain users working with sensitive data, or contractors with a lower level of trust in an organization, he said. It can also be used in a targeted way, he said.

Strohl said it is a about time someone came out with an application like SmartAuditor. "This is important for security and compliance," he said. "If you have a scenario with regulated data, like security brokers, all e-mails now need to be archived. This is similar, but for other applications and data."

Any customer with HIPAA or Sarbanes-Oxley or other regulatory concerns will like SmartAuditor with its ability to look at data, log-ins, log-outs, and what users do, Anderson said.

And it is a technology that will work its way into the small and midsize business space, he said. "Once you have an IT person, they have the keys to the kingdom," he said. "They can see all the passwords and documents. A lot of small businesses don't see the ramifications of that. Tools like SmartAuditor to allow us to see who is where are extremely important."

Citrix is also trying to do its part to address data center power use with PowerSmart, an add-on to Presentation Server that will let customers set policies to automatically reduce server power based on application traffic levels.

Data centers today can set servers to power up and down at certain times, but it is much harder to time the changes to how users use their applications, Wasson said. PowerSmart times those changes according to application usage, he said.

For example, as Lotus Notes users start dropping off at the end of the day, PowerSmart can send a signal to start shutting down some of the servers. Then, as users sign back in, a signal can be sent to power up the servers again.

Anderson said his enterprise customers are telling him they are running out data center power. "Anything that can reduce power will be a great feature," he said.

Downs said he has already approached a hospital that works with Plan B Technologies and has been having major power issues with IT to talk about PowerSmart. "We told them, this is something we will introduce on a blade server system we sold them, and they said, yeah, we need that immediately," he said.

Things like PowerSmart can help a customer look very good in the eyes of the public, Downs said. "With all the buzz around Al Gore and global warning, you can sign a customer up with a pre-canned press release about reducing power they can take to their Board of Directors," he said.

EasyCall and SmartAuditor have been added to the platinum editions of NetScaler and/or Presentation Server free of charge. EasyCall licenses are activated by a Citrix Communication Gateway appliance that is retail priced at $3,500. PowerSmart works with iLO-enabled HP servers, and will be available for download in December.

Just three days after Xfinity disclosed that 36 million of its users’ personal information was exposed in a data breach, Fort Lauderdale-based Citrix Systems Inc. is facing a class-action lawsuit accusing the firm of failing to prevent the breach.

The extent of the breach was disclosed on Monday in a notice to the Maine Attorney General by Comcast Cable Communications, which does business as Xfinity.

That day, Comcast released a notice to customers disclosing that “unauthorized access to its internal systems” had occurred between Oct. 16 and Oct. 19. Following a review, Comcast concluded on Dec. 6 that the breach exposed customer information such as usernames and passwords that the company had disguised for security purposes.

Hackers also stole some users’ names, contact information, last four digits of Social Security numbers, dates of birth and/or secret questions and answers, Comcast said.

Customers logging onto their Xfinity accounts have been required to change their passwords to protect their accounts. They also are urged to set up two-factor, or multi-factor, authentication and to change passwords for other accounts that share the same username and password or security question.

By Wednesday, Citrix — which services Xfinity’s website — was named as defendant in a proposed class-action lawsuit about the breach.

A Citrix spokesman, reached by email, said the company is aware of the lawsuit but said the company does not comment on pending litigation. Comcast, which was not named as a defendant in the lawsuit, did not respond to a request for information about the breach.

The suit accuses Citrix of failing to protect “highly sensitive information” in their custody that it “knew and understood” is “valuable and highly sought after by criminal parties who seek to illegally monetize” it by posting it for sale on the dark web.

The suit states that Citrix on Oct. 10 announced the vulnerability of a software product used by Xfinity and thousands of other companies known as “Citrix Bleed.”

Citrix said it released a patch to fix the vulnerability at that time and issued additional mitigation guidance on Oct. 23, the lawsuit claims.

While Comcast said it “promptly patched and mitigated its systems,” it said it later discovered that prior to the repair operation, between Oct. 16 and Oct. 19, “there was unauthorized access to some of (its) internal systems that (it) concluded was a result of this vulnerability,” according to the lawsuit.

In a notification to the Office of the Maine Attorney General on Monday, Comcast revealed that the personal identifiable information of 35,879,455 individuals was believed to have been exposed in the breach.

The lawsuit names Jacksonville resident Francis Kirkpatrick as lead plaintiff. It was filed by the Fort Lauderdale law firm Kopelowitz Ostrow Ferguson Weiselberg Gilbert and the Tampa-based law firm The Consumer Protection Firm PLLC.

It says that Kirkpatrick has experienced “suspicious spam” after the breach that he believes to be an attempt to secure additional personal information.

The suit claims that class members have suffered from invasion of their privacy, lost or diminished value of their personal identifiable information, lost time and opportunity costs associated with attempting to mitigate consequences of the breach, and the “continued and certainly increased risk” to their information.

It seeks unspecified “compensatory and consequential damages” from Citrix.

The website ClassAction.org, which describes itself as a group of online professionals with relationships with class action and mass tort attorneys, on Tuesday posted notice of an investigation that it said could lead to a class action lawsuit against Comcast. A news release on Tuesday by New Jersey-based Console & Associates, P.C. urges victims to contact the law firm.

According to GovTech.com, a website that serves the government technology industry, hackers have been exploiting “Citrix Bleed” vulnerabilities since August. Hackers can exploit the vulnerability within Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances, the site reported.

The vulnerability enables hackers “to bypass password requirements and multifactor authentication” to hijack “legitimate user sessions,” according to an advisory released on Nov. 21 by the Cybersecurity & Infrastructure Security Agency, a component of the United States Department of Homeland Security.

“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources,” the advisory states.

Citrix Bleed has been linked to ransomware and malware attacks on several companies, including Toyota and Boeing, several tech sites reported.

For Comcast, news of the breach comes a year after a different breach left an unknown number of customers unable to access their accounts. When they regained access, they discovered their accounts had been taken over by hackers who were able to bypass two-factor authentication and change their passwords, then used their information to gain access to other accounts, the website SecurityBoulevard.com reported.

Ron Hurtibise covers business and consumer issues for the South Florida Sun Sentinel. He can be reached by phone at 954-356-4071, on Twitter @ronhurtibise or by email at rhurtibise@sunsentinel.com.

An avid technology enthusiast, Steve Gregory has been writing professionally since 2002. With more than 10 years of experience as a network administrator, Gregory holds an Information Management certificate from the University of Maryland and is pursuing MCSE certification. His work has appeared in numerous online publications, including Chron and GlobalPost.

A published author and professional speaker, David Weedmark has advised businesses and governments on technology, media and marketing for more than 20 years. He has taught computer science at Algonquin College, has started three successful businesses, and has written hundreds of articles for newspapers and magazines throughout Canada and the United States.

Citrix Access Suite 4.0, developed under the code name Colorado, is a major upgrade of the company's formerly named MetaFrame access suite.

The suite's Presentation Server 4.0 supports more than 1,000 servers in a single server farm. It offers proximity printing, 400 percent faster printing and built-in conferencing. And it includes the Citrix Access Gateway SSL VPN and Citrix Password Manager. The new suite also delivers enhanced Smoothroaming capabilities and SmartAccess features, which automatically detect computing environments.

At the launch event in New York, Citrix CEO Mark Templeton said the company plans to drive sales deeper into vertical markets and specific customer segments with an enhanced co-engagement channel model. Citrix plans to fine-tune the multichannel strategy by providing products to partners tailored for their various customers bases, thus reducing the chance for conflict.

Templeton told CRN that the forthcoming access products for small-business and midmarket customers will be launched this fall. In addition to the small-business suite, Citrix plans to engage IBM and HP in co-selling deals with solutions based on the suite.

On Tuesday, David Jones, vice president of business alliances at Citrix, announced a formal relationship with IBM to help it deliver services and solutions based on Access Suite 4.0. He said that five out of Citrix's last 10 largest customer wins stemmed from IGS, and Citrix is creating project offices--called Citrix Knowledge Centers--to assist IBM on deals.

Executives said the lines are in the sand to protect large systems integrators and channel partners, for the most part. "We haven't seen any, but it's possible," said John Burris, senior vice president of worldwide sales and service at Citrix. "The idea is to eliminate that as much as possible."

Templeton and Burris said there was always the possibility for overlap and some conflict between the channels, but they expect problems to be minimal since the channels--and their respective product offerings--will target different segments of the market.

"It's only six project offices," Templeton said. "The kind of projects IBM gets involved in, I don't think a clear-thinking local or regional Citrix integrator would be interested in."

As it pushes deeper into the enterprise, Citrix also is expanding its relationship with HP. Citrix said its Citrix Password Manager will be combined with the HP OpenView Identity and Access Management suite as part of the new agreement. In addition, Citrix and HP announced plans for joint development on future products.

One Wall Street analyst said Citrix has done a good job executing a balanced channel strategy as it prepares to launch Access Suite 4.0 into the marketplace. Citrix's biggest challenge, as it strives to reach the $1 billion in sales by 2006, is achieving a critical mass of users, he said.

"They're reinventing themselves and have stayed dedicated to the channel, unwavering in putting this structure together," said John Rizzuto, director of software equity research for Lazard Freres, during a roundtable discussion at the event, held at the Millennium Broadway Hotel in New York. "The partnership with IBM will make the size of the pie bigger instead of IBM taking a bigger piece of the pie."

While some channel partners expressed concern about the closer involvement of HP and IBM in Citrix's business, at least one Citrix platinum partner said that co-selling opportunities for additional products such as the SSL VPN and planned channel incentives for Citrix Online products open up opportunities for the channel.

"Citrix has fostered an active ecosystem with Microsoft, Dell, IBM and others, and as a result we are sought out to join their channel programs," said Tom Flink, president of the central region of MTM, a Citrix Platinum partner.

Comcast waited as many as nine days to patch its network against a high-severity vulnerability, a lapse that allowed hackers to make off with password data and other sensitive information belonging to 36 million Xfinity customers.

“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” an accompanying notice stated. “We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Comcast is still investigating precisely what data the attackers obtained. So far, Monday’s disclosure said, information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers. Xfinity is Comcast’s cable television and Internet division.

Citrix Bleed has emerged as one of the year’s most severe and widely exploited vulnerabilities, with a severity rating of 9.4 out of 10. The vulnerability, residing in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, can be exploited without any authentication or privileges on affected networks. Exploits disclose session tokens, which the hardware assigns to devices that have already successfully provided login credentials. Possession of the tokens allows hackers to override any multi-factor authentication in use and log in to the device.

Other companies that have been hacked through Citrix Bleed include Boeing; Toyota; DP World Australia, a branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and law firm Allen & Overy.

The name Citrix Bleed is an allusion to Heartbleed, a different critical information disclosure zero-day that turned the Internet on its head in 2014. That vulnerability, which resided in the OpenSSL code library, came under mass exploitation and allowed the pilfering of passwords, encryption keys, banking credentials, and all kinds of other sensitive information. Citrix Bleed hasn’t been as dire because fewer vulnerable devices are in use.

A sweep of the most active ransomware sites didn’t turn up any claims of responsibility for the hack of the Comcast network. An Xfinity representative said in an email that the company has yet to receive any ransom demands, and investigators aren’t aware of any customer data being leaked or of any attacks on affected customers.

Comcast is requiring Xfinity customers to reset their passwords to protect against the possibility that attackers can crack the stolen hashes. The company is also encouraging customers to enable two-factor authentication. The representative declined to say why company admins didn't patch sooner.

Post updated to change patch lapse from 13 days to six to nine days.

Ransomware groups are leveraging new attacks using the Citrix Bleed vulnerability.

Late last week saw more than 60 credit unions’ operations disrupted, thanks to a common technology services provider’s unpatched Netscaler servers. Representatives from the National Credit Union Administration confirmed the outage happened in a post for The Register over the weekend.

The provider is Trellance Cooperative Holdings Inc. It owns two different providers, one called Ongoing Operations LLC and the other called Fedcomp. Both of them told their respective customers of outages affecting their systems. The former sent out a note on Dec. 2 about an “ongoing cyber security incident” that happened on Nov. 26. Fedcomp posted and then removed notice about a potential incident and didn’t respond to reporters’ inquiries.

“Trellance and FedComp have been working around the clock to get our systems along with other credit unions around the country that have experienced the same issue back online,” Maggie Pope, chief executive of the Mountain Valley Federal Credit Union in Peru, New York, wrote in a memo to its members last week.

A post from cybersecurity researcher Kevin Beaumont claims that the issues had to do with Citrix Bleed, which he claims attacked two of Ongoing Operations Netscaler servers that hadn’t been patched since this summer. Citrix Bleed was first discovered several months ago, and a patch was released by the company in October.

Citrix Bleed has become a popular way for ransomware actors to compromise their victims because the Citrix servers have a great deal of authentication knowledge encoded in their operations as load balancing appliances. The vulnerability steals session tokens to allow bad actors to avoid multifactor authentication controls.

Credit unions have been a tempting target for ransomware attacks because they have relatively immature security solutions compared with commercial banks and other larger financial services companies. Their national association put in place new rules that came into force in September requiring all federally insured unions to report any breaches within 72 hours. Since then, it has seen 146 incidents reported in the first month, a figure it typically would see in an entire year.

Image: OpenClipart-Vectors/Pixabay

Comcast Cable Communications, doing business as Xfinity, disclosed on Monday that attackers who breached one of its Citrix servers in October also stole customer-sensitive information from its systems.

On October 25, roughly two weeks after Citrix released security updates to address a critical vulnerability now known as Citrix Bleed and tracked as CVE-2023-4966, the telecommunications company found evidence of malicious activity on its network between October 16 and October 19.

Cybersecurity company Mandiant says the Citrix flaw had been actively exploited as a zero-day since at least late August 2023.

Following an investigation into the impact of the incident, Xfinity discovered on November 16 that the attackers also exfiltrated data from its systems, with the data breach affecting 35,879,455 people.

"After additional review of the affected systems and data, Xfinity concluded on December 6, 2023, that the customer information in scope included usernames and hashed passwords," the company said.

"[F]or some customers, other information may also have been included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, the data analysis is continuing."

While Xfinity says it has asked users to reset their passwords to protect affected accounts, customers report that they had been getting password reset requests last week without any indication as to why that was happening.

"To protect your account, we have proactively asked you to reset your password. The next time you login to your Xfinity account, you will be prompted to change your password, if you haven't been asked to do so already," the company says in a data breach notice published on its website.

One year ago, Xfinity customers also had their accounts hacked in widespread credential stuffing attacks bypassing two-factor authentication.

Compromised accounts were then used to reset account passwords for other services, including the Coinbase and Gemini crypto exchanges.

Update December 18, 19:08 EST: A Comcast spokesperson shared the following statement with BleepingComputer after the article was published but didn't share more details on the number of individuals affected by the data breach. The company added that its operations were not impacted and that it received no ransom demand after the incident.

We are providing notice to customers about a data security incident which exploited a vulnerability previously announced by Citrix, a software provider used by Xfinity and thousands of other companies worldwide. We promptly patched and mitigated the vulnerability. We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers.  

In addition, we required our customers to reset their passwords and we strongly recommend that they enable two-factor or multi-factor authentication, as many Xfinity customers already do. We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24x7.

Update December 19, 05:40 EST: Added info on the number of people affected by the data breach.