Kevin Beaumont
Kevin Beaumont
Kevin BeaumontUpdate on the situation at The Hague and the shutdown of the Dutch Public Prosecution Service internet access, NCSC Netherlands issued an update today saying all orgs should hunt for CitrixBleed 2 activity, citing my blog.
They also advise clearing all session types, not just the ones Citrix say in their security advisory.
https://advisories.ncsc.nl/advisory?id=NCSC-2025-0196
Kevin BeaumontHereβs the Dutch gov letter and my translation.
Kevin Beaumont
Kevin BeaumontAgain to reiterate the point in the thread - Citrixβs patching instructions donβt include - for example - resetting AAA sessions when AAA cookies are stealable with the vulnerability. So weβre going to see orgs caught with Citrixβs pants down.
Kevin BeaumontHereβs the Dutch gov letter and my translation.
Kevin BeaumontThe Dutch Public Prosecution Office have shut down their Citrix Netscaler and removed all internet access, Dutch media speculating CitrixBleed 2 exploitation.
https://www.techzine.eu/news/security/133163/dutch-department-of-justice-offline-after-citrix-vulnerability/
Justice minister David van Weel told MPs in a briefing that it appears the weakness had been used by third parties to access the department systems.
The justice ministry said the department had applied Citrixβs recommended patches, but these failed to fully eliminate the flaw. https://www.dutchnews.nl/2025/07/prosecution-department-goes-offline-due-to-software-weakness/
Kevin BeaumontAgain to reiterate the point in the thread - Citrixβs patching instructions donβt include - for example - resetting AAA sessions when AAA cookies are stealable with the vulnerability. So weβre going to see orgs caught with Citrixβs pants down.
Kevin BeaumontThis bit is still incomplete in the patching instructions btw - if it's a HA pair you need to additionally reset other session types or you're still vulnerable to session hijack after patching.
I'm still trying to get Citrix to update the instructions.
Kevin BeaumontThe Dutch Public Prosecution Office have shut down their Citrix Netscaler and removed all internet access, Dutch media speculating CitrixBleed 2 exploitation.
https://www.techzine.eu/news/security/133163/dutch-department-of-justice-offline-after-citrix-vulnerability/
Justice minister David van Weel told MPs in a briefing that it appears the weakness had been used by third parties to access the department systems.
The justice ministry said the department had applied Citrixβs recommended patches, but these failed to fully eliminate the flaw. https://www.dutchnews.nl/2025/07/prosecution-department-goes-offline-due-to-software-weakness/
Kevin Beaumontwe gettin' there!
Kevin BeaumontThis bit is still incomplete in the patching instructions btw - if it's a HA pair you need to additionally reset other session types or you're still vulnerable to session hijack after patching.
I'm still trying to get Citrix to update the instructions.
Kevin BeaumontCitrix have a blog out about hunting for #CitrixBleed2
https://www.netscaler.com/blog/news/evaluating-netscaler-logs-for-indicators-of-attempted-exploitation-of-cve-2025-5777/
It's what was in my earlier blog - look for invalid characters in the username field and duplicate sessions with different IPs
Kevin Beaumontwe gettin' there!
Kevin BeaumontWith the #CitrixBleed2 patch data I publish it's possible to view the history on Github for each new scan and see when hosts change from vuln to patched.
It's proving incredibly effective at getting orgs to patch. I tried private notifications via HackerOne and such for CitixBleed1 in 2023 and it took months to get orgs to patch. Putting the data public brings accountability for orgs who later get breached - so there's a rush to patch.
It's definitely interesting and may need a scale out.
Kevin BeaumontCitrix have a blog out about hunting for #CitrixBleed2
https://www.netscaler.com/blog/news/evaluating-netscaler-logs-for-indicators-of-attempted-exploitation-of-cve-2025-5777/
It's what was in my earlier blog - look for invalid characters in the username field and duplicate sessions with different IPs
Kevin BeaumontPersonally I think Co-op did a really good job getting out of that situation and minimising impact.
I definitely think if you have a LAPSUS$ style advanced persistent teenagers situation, tilt towards open and honest comms as those kids will use secrecy against ya. Itβs 2025, itβs okay to say you got hacked, people largely understand. Also, in IR, lawyers are usually stuck in 1980 advice - itβs just advice, they ainβt yo boss.
Kevin BeaumontThe people arrested as part of the Co-op and M&S hack investigation have been released on bail.
https://nation.cymru/news/four-people-bailed-after-arrests-over-cyber-attacks-on-ms-co-op-and-harrods/
Previously when this happened with LAPSUS$, they just continued hacking stuff.
Kevin BeaumontIβm fairly certain the threat actor is Chinese and they reversed the patch to make the exploit.
Citrix continue to be MIA. They still have no detection guidance for customers, and havenβt told customers the extent of the issue.
#CitrixBleed2
Kevin BeaumontWith the #CitrixBleed2 patch data I publish it's possible to view the history on Github for each new scan and see when hosts change from vuln to patched.
It's proving incredibly effective at getting orgs to patch. I tried private notifications via HackerOne and such for CitixBleed1 in 2023 and it took months to get orgs to patch. Putting the data public brings accountability for orgs who later get breached - so there's a rush to patch.
It's definitely interesting and may need a scale out.