Urgent Warnings Issued on CitrixBleed Exploitation by LockBit Ransomware Gang

November 22, 2023

The exploitation of a critical vulnerability in Citrix's NetScaler product has led to urgent warnings from Citrix and various government agencies in the US and Australia. This vulnerability, known as CitrixBleed and tracked under CVE-2023-4966, is an unauthenticated bug that could lead to information disclosure. It affects NetScaler ADC and Gateway appliances set up as a gateway or an AAA server. The bug has been exploited as a zero-day since August and mass exploitation began around three weeks ago, coinciding with the publication of a proof-of-concept exploit and a technical writeup.

In October, Citrix warned that attackers were exploiting the vulnerability for session hijacking, bypassing all forms of authentication, including multi-factor authentication safeguards. On Monday, Citrix urged administrators to apply the available patches as soon as possible, due to a significant increase in attempts to exploit this vulnerability in unpatched NetScaler ADCs. The company also reported that the LockBit ransomware gang has begun exploiting the vulnerability.

Alerts regarding LockBit's targeting of CitrixBleed were also issued by the US Cybersecurity Agency CISA, the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Australian Cyber Security Center (ACSC). These agencies noted that LockBit affiliates have historically attacked organizations of various sizes across several critical infrastructure sectors. They revealed that LockBit exploited CitrixBleed to gain initial access to Boeing Distribution Inc., a subsidiary of aerospace giant Boeing. Using valid cookies obtained through exploiting CVE-2023-4966, the LockBit affiliates were able to establish an authenticated session with the appliance and execute a PowerShell script for malware deployment.

The four agencies provided a list of indicators of compromise associated with the LockBit attack on Boeing and recommended looking for evidence of compromise and immediate patching. Administrators are advised to update to specified versions of NetScaler ADC and Gateway, which address the vulnerability. After the upgrade, any active or persistent sessions should be removed to ensure the flaw is fully mitigated. As session cookies persist in memory, attackers can retrieve them even after the update.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.