CISA, FBI warn of LockBit attacks on Citrix Bleed

CISA published an advisory update Tuesday on LockBit threat actors exploiting a critical software vulnerability known as Citrix Bleed that included pertinent information shared by Boeing.

Citrix Bleed, a critical Citrix NetScaler ADC and NetScaler Gateway vulnerability, was disclosed and patched last month, but Mandiant later confirmed that exploitation started in August. The threat continued to worsen as vendors confirmed that the LockBit ransomware group was exploiting the flaw, tracked as CVE-2023-4966, and that many instances remained unpatched as of last week.

Calls to patch the flaw intensified following Citrix's disclosure, including one in October from CISA. On Tuesday, CISA and the FBI published a second Citrix Bleed advisory that warned enterprises of "widespread exploitation," particularly from LockBit.

The joint Cybersecurity Advisory (CSA) included an extensive list of IP addresses, scripts, domains and file names in an indicators of compromise (IOCs) section. CISA and the FBI learned of the tactics, techniques and procedures (TTPs) by collaborating with a recent LockBit victim -- Boeing.

"This CSA provides TTPs and IOCs obtained from FBI, ACSC [the Australian Signals Directorate's Australian Cyber Security Centre], and voluntarily shared by Boeing," CISA wrote in the advisory. "Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization."

Earlier this month, LockBit leaked data allegedly stolen during an attack against Boeing. LockBit gave the global aerospace company a ransom deadline of Nov. 2, but removed Boeing from its public data leak site soon after, which often signals that the victim either paid the ransom or was in negotiations with the gang. However, the removal was only temporary; LockBit re-listed Boeing with a new deadline of Nov. 10.

With reports of stolen data lurking, Boeing confirmed that its distribution business did suffer a cybersecurity incident at an undisclosed time. Meanwhile, cybersecurity researcher Dominic Alvieri shared data taken from LockBit showing that operators might have exploited Citrix Bleed to attack Boeing.

While Boeing did not confirm whether it suffered a ransomware attack or that Citrix Bleed was involved, the CISA advisory Tuesday correlated those reports. In a media call with CISA and the FBI Tuesday, Eric Goldstein, CISA's executive assistant director, applauded Boeing for its collaboration with the public sector. He said the technical information Boeing shared from the attack against its subsidiary allowed CISA to publish more "effective guidance" to help enterprises defend against Citrix Bleed and LockBit attacks.

"We have notified nearly 300 organizations that appear to be running vulnerable instances of the affected devices so that they can mitigate their vulnerabilities before harm occurs," Goldstein said during the media call.

Goldstein added that the joint advisory was published "in response to widespread exploitation by both nation-state and cybercriminal groups of a vulnerability known as Citrix Bleed."