LockBit observed exploiting critical 'Citrix Bleed' flaw

The infamous LockBit ransomware group was observed exploiting a critical Citrix NetScaler ADC and NetScaler Gateway vulnerability, referred to as "Citrix Bleed," increasing the urgency for enterprises to patch.

Last month, Citrix disclosed and patched two unauthenticated buffer-related vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967, that affected its NetScaler ADC and NetScaler Gateway products, which enterprises use to secure firewalls and VPNs. Soon after, Mandiant confirmed that it observed zero-day exploitation of CVE-2023-4966 beginning in August, but the threat continued to escalate.

CISA added CVE-2023-4966, commonly known as Citrix Bleed, to the Known Exploited Vulnerabilities catalog on Oct. 18. The agency then issued an alert last week reiterating the urgency for organizations to apply mitigations. More alarmingly, CISA confirmed that the advisory was "in response to active, targeted exploitation" of CVE-2023-4966 and that successful exploitation could allow an attacker to take control of the affected system.

Additional research from GreyNoise showed that threat actors continue to target CVE-2023-4966. The security vendor observed 48 IP addresses attempting to exploit the vulnerability as of Wednesday.

In another report Wednesday, the Financial Services Information Sharing and Analysis Center (FS-ISAC) linked LockBit ransomware deployment to Citrix Bleed exploitation. The report, titled "LockBit: Access, Encryption, Exfiltration and Mitigation," detailed recent LockBit activity and provided actionable steps for enterprises. FS-ISAC referred to LockBit as "one of the most prolific ransomware groups in the world."

The ransomware gang has maintained a consistent spot on NCC Group's top threat actor list, and for good reason. Last week, LockBit claimed responsibility for an attack against Boeing by publishing allegedly stolen data on its data leak site.

The FS-ISAC report highlighted several risks associated with Citrix Bleed exploitation. For example, attackers could steal authentication tokens from exposed instances to hijack users' sessions. In addition, organizations that have already patched could still be at risk.

"The compromised session tokens can then be used to impersonate active sessions, which bypass authentication, (even multi-factor) and gain complete access to the appliance. This vulnerability can still occur even if the vulnerability is patched and rebooted, as copied tokens will remain valid unless further steps are taken," FS-ISAC wrote in the report.

FS-ISAC also described CVE-2023-4966 exploitation activity disclosed by incident responders. Attackers were observed conducting network reconnaissance, stealing credentials and moving laterally via Remote Desktop Protocol (RDP), a popular attack vector. In addition, adversaries deployed remote monitoring and management tools.

However, the most significant activity involved LockBit ransomware. FS-ISAC said incident responders observed "high profile ransomware infections from LockBit" during post-Citrix Bleed intrusion activities.

In a blog post Monday, security researcher Kevin Beaumont shared observations he's made while tracking LockBit activity against governments, banks and law firms. Beaumont said Shodan searches revealed unpatched instances of NetScaler ADC and NetScaler Gateway at organizations that LockBit claimed to have attacked, including the Industrial and Commercial Bank of China (ICBC). However, ICBC has not confirmed that LockBit was behind the ransomware attack or that threat actors exploited Citrix Bleed.

In addition to Citrix Bleed exploitation, the FS-ISAC report raised awareness around LockBit's preferred initial access vectors, such as RDP exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts and exploitation of public-facing applications. The report warned that while LockBit tools frequently target Windows systems, Linux, macOS and VMware ESXi might also be at risk.

FS-ISAC urged enterprises to patch Citrix Bleed as well as other vulnerabilities LockBit has been known to exploit, including the Fortra GoAnywhere Managed File Transfer remote code execution flaw, tracked as CVE-2023-0669. Other recommendations to defend against ransomware attacks overall included enabling phishing-resistant multifactor authentication protocols, implementing a proactive recovery plan, disabling unused ports and implementing network segmentation.

Arielle Waldman is a Boston-based reporter covering enterprise security news.