Citrix Netscaler devices have become the latest targets in a growing wave of password spray attacks aimed at breaching corporate networks by compromising edge networking devices and cloud platforms. Earlier this week, Germany's Federal Office for Information Security (BSI) issued a warning about multiple incidents involving brute force attacks against these devices.
The attacks reportedly began in November and have escalated through December. Victims have reported massive login attempts—ranging from 20,000 to over one million—using generic usernames in an effort to brute force account credentials.
Citrix confirmed these incidents in a security bulletin, noting that the attacks originate from a wide array of IP addresses, complicating efforts to mitigate them through traditional means like IP blocking or rate limiting. The surge in authentication requests can overwhelm Citrix Netscaler devices, potentially causing performance issues or rendering the devices temporarily unavailable.
Cloud Software Group has recently observed an increase in password spraying attacks directed at NetScaler appliances. These attacks are characterized by a sudden and significant increase in authentication attempts and failures, which trigger alerts across monitoring systems, including Gateway Insights and Active Directory logs. The attack traffic originates from a broad range of dynamic IP addresses, making traditional mitigation strategies such as IP blocking and rate limiting less effective.
The attackers are specifically targeting pre-nFactor endpoints, older authentication URLs maintained for compatibility with legacy configurations.
Citrix’s advisory outlines several steps for reducing the impact of the attacks, including ensuring that multi-factor authentication is enabled for Gateway and the MFA verification factor is configured before the LDAP factor, and creating responder policies to allow requests only for desired FQDN and to block authentication requests.
