Breach Notification , DDoS Protection , Incident & Breach Response
Citrix Warns Its ADC Products Are Being Used in DDoS AttacksCompany Notes: Permanent Fix Won't Be Ready Until January
Citrix is warning its customers that attackers are taking advantage of the company's ADC products to conduct and amplify distributed denial-of-service attacks, according to a notification published by the firm.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
In the warning, Citrix notes that these attacks are affecting a "limited" number of customers as of now. And while there is no known vulnerability at this point, the company is working on a permeant fix for its ADC products that won't be available until mid-January, according to the alert.
"Citrix is monitoring these events and is continuing to investigate the impact they pose on Citrix ADC," the alert says. "At this time, the scope of attack is limited to a small number of customers around the world, and further, there are no known Citrix vulnerabilities associated with this event."
Citrix Application Delivery Controller, or ADC, was formerly known as NetScaler ADC. These products are used as network appliances to help increase application performance as well as improve security functionality. Over the past year, Citrix has experienced issues with threat actors targeting known vulnerabilities in these products, including one that affected some 80,000 companies, which security researchers disclosed in December 2019 (see: Severe Citrix Flaw: Proof-of-Concept Exploit Code Released).
The abuse of the Citrix ADC products to amplify DDoS attacks was first noticed earlier this month by independent security researchers as well as Marco Hofmann, an IT administrator for German software firm ANAXCO GmbH, who found the attack targeting port UDP:443, which is used by Citrix products.
Other security researchers also noticed similar patterns starting around Dec. 21.
It seems a worldwide UDP:443 (EDT) DDOS attack against #NetScaler #gateway is active since last night. I found these source IP addresses of the attackers in my nstraces:
(1/3) pic.twitter.com/AuAg72BsEY— Daniel Weppeler (@_DanielWep) December 21, 2020
The security issue appears to affect the Datagram Transport Layer Security, or DTLS, used with these Citrix ADC products, according to the company's alert. DTLS is a communication protocol based on the Transport Layer Security, or TLS, protocol and is designed to ensure that applications can communicate with one another without third parties eavesdropping on those communications or intercepting messages.
In most cases, DTLS uses the User Datagram Protocol, and threat actors are known to use this to spoof the IP packet datagram address, which can then quickly overwhelm the network with junk internet traffic and then amplify the DDoS attack, according to a previous warning issued by the U.S. Cybersecurity and Infrastructure Security Agency.
"As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion," according to the Citrix advisory.
Citrix notes that, since there is no known vulnerability at this time, its customers affected by these DDoS incidents should disable DTLS temporarily to stop an attack.
"Disabling the DTLS protocol may lead to limited performance degradation to real-time applications using DTLS in your environment. The extent of degradation depends on multiple variables. If your environment does not use DTLS, disabling the protocol temporarily will have no performance impact," according to the Citrix advisory.
In the meantime, Citrix is working on enhancements to its ADC products, and a fix to address these issues will be released on Jan. 12, according to the advisory.
In July, the FBI issued a warning that the bureau had seen a steady increase in not only the number of DDoS attacks affecting U.S. organizations, but also in the techniques used to amplify these attacks (see: FBI Alert Warns of Increase in Disruptive DDoS Attacks).
In that alert, the FBI warned that threat actors have been attempting to use built-in network protocols, which are designed to reduce overhead and operational costs, to conduct larger and more destructive DDoS attacks. This technique helps amplify the attack without using as many resources but can also create a much more disruptive cyberthreat.
CISA also issued its own warning about DDoS attacks in September, following an incident in August in which the New Zealand Stock Exchange was disrupted by a DDoS attack that stopped trading for several days (see: CISA Warns of Increased DDoS Attacks).