Background & Intelligence

What is Citrix?

Citrix provides software solutions that allow corporate networks and resources to be accessed remotely by leveraging virtualisation technology. Some of the key components in Citrix environments are:

• Virtual Desktop Infrastructure ('VDI'): this technology provides a virtual version of a computer or desktop environment stored in a remote server, accessible over the internet. Instead of having a physical computer, users can access the operating system, files, applications and data on that system from anywhere once successfully authenticated.
• Citrix Application Delivery Controller ('ADC', formerly known as ‘Netscaler’): this component serves as a ‘traffic director’ of sorts for a network, responsible for optimising data flows and ensuring availability of applications and resources for users. Citrix ADCs can also integrate a Gateway, a feature that is responsible for authenticating users to the environment and which can be thought of as a security checkpoint.

Recent critical Citrix vulnerabilities have primarily affected ADC appliances, often allowing unauthenticated users access to the environment they sit in front of. In normal circumstances, a user will login by providing a valid username and password to the Citrix Gateway, and then be assigned to an available virtual desktop by the ADC server. (Source: S-RM)

Most Prevalent Vulnerabilities (CISA KEV & EPSS) Impacting Citrix

Of the 16 CVE’s in KEV, 6 are known to be utilised in ransomware campaigns (As of August 2024):

• CVE-2023-3519
• CVE-2023-4966
• CVE-2019-13608
• CVE-2019-19781
• CVE-2019-11634
• CVE-2020-22941

Related Threat Actors

• Akira
• NoEscape
• BlackBasta
• LockBit