A wave of password spraying attacks has been observed targeting Citrix NetScaler appliances globally. Netscaler is a line of networking products owned by Cloud Software Group, and are widely used across industries for load balancing, application delivery, and secure remote access.
Users are reporting anywhere from 20,000 to 1 million attempts to brute force their credentials with generic usernames. The attacks aim to overwhelm appliances with high authentication request volumes, leading to operational disruptions and potentially breaching sensitive accounts.
Key Characteristics:
Instead of brute-forcing multiple passwords on a single account, attackers use a limited set of common passwords across numerous accounts to evade detection and account lockouts.
These high volumes of authentication attempts can result in:
- Excessive log generation, exhausting storage and impacting performance.
- CPU resource overload, potentially triggering failovers.
- Appliance instability and crashes.
The attackers are targeting authentication endpoints associated with older, pre-nFactor configurations on NetScaler appliances. These endpoints, such as /cgi/login, /p/u/doAuthentication.do, and similar paths, are legacy components used for compatibility with earlier systems.
Potential Impact:
The password spraying attacks generate a significant volume of authentication traffic, which can overwhelm NetScaler appliances and lead to performance degradation or complete downtime.
the sheer volume of authentication requests can destabilize the appliance, causing crashes or failures in the authentication module
Since the attacks originate from dynamic IP ranges, traditional defenses like IP blocking or rate limiting are largely ineffective. Attackers can frequently change their IP addresses, bypassing these mitigation methods and increasing the overall threat surface.
Recommendations for Mitigation:
- Enable Multi-Factor Authentication (MFA): Configure MFA to enhance authentication security. Prioritize setting up MFA before the LDAP factor.
- Restructure authentication policies:
- Block requests to historical pre-nFactor endpoints unless explicitly needed.
- Allow authentication requests only for specified Fully Qualified Domain Names (FQDNs) using responder policies.
- Implement Web Application Firewall (WAF): Use WAF rules to detect and block requests targeting vulnerable endpoints or originating from malicious IPs.
- Enable IP reputation services: Automatically block requests from known malicious IP addresses.
- Optimize log rotation: Reduce the log file rotation interval to 30 minutes to prevent disk overflows.
- Leverage CAPTCHA on authentication pages: Implement CAPTCHA for additional protection against automated attacks.
Detection Indicators:
Monitor NetScaler ns.log for unusual volumes of the following entries:
- “default SSLVPN Message”
- “default AAA LOGIN_FAILURE”
Signs of abnormal log growth or repeated entries related to authentication failures could indicate active attacks.
Next Steps:
- Review and apply as many of the recommended mitigations promptly.
- Ensure firmware is updated to version 13.0 or higher to access the latest security features.
- Notify stakeholders and prepare for potential disruptions to critical services.
For additional information, refer to the latest NetScaler Security Advisory.
Stay Secure. Stay Informed.
