Getty Images/iStockphoto

CISA, FBI warn of LockBit attacks on Citrix Bleed

The latest advisory on exploitation of the Citrix Bleed vulnerability confirmed that the LockBit ransomware group perpetrated the attack on Boeing.

CISA published an advisory update Tuesday on LockBit threat actors exploiting a critical software vulnerability known as Citrix Bleed that included pertinent information shared by Boeing.

Citrix Bleed, a critical Citrix NetScaler ADC and NetScaler Gateway vulnerability, was disclosed and patched last month, but Mandiant later confirmed that exploitation started in August. The threat continued to worsen as vendors confirmed that the LockBit ransomware group was exploiting the flaw, tracked as CVE-2023-4966, and that many instances remained unpatched as of last week.

Calls to patch the flaw intensified following Citrix's disclosure, including one in October from CISA. On Tuesday, CISA and the FBI published a second Citrix Bleed advisory that warned enterprises of "widespread exploitation," particularly from LockBit.

The joint Cybersecurity Advisory (CSA) included an extensive list of IP addresses, scripts, domains and file names in an indicators of compromise (IOCs) section. CISA and the FBI learned of the tactics, techniques and procedures (TTPs) by collaborating with a recent LockBit victim -- Boeing.

"This CSA provides TTPs and IOCs obtained from FBI, ACSC [the Australian Signals Directorate's Australian Cyber Security Centre], and voluntarily shared by Boeing," CISA wrote in the advisory. "Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization."

Earlier this month, LockBit leaked data allegedly stolen during an attack against Boeing. LockBit gave the global aerospace company a ransom deadline of Nov. 2, but removed Boeing from its public data leak site soon after, which often signals that the victim either paid the ransom or was in negotiations with the gang. However, the removal was only temporary; LockBit re-listed Boeing with a new deadline of Nov. 10.

With reports of stolen data lurking, Boeing confirmed that its distribution business did suffer a cybersecurity incident at an undisclosed time. Meanwhile, cybersecurity researcher Dominic Alvieri shared data taken from LockBit showing that operators might have exploited Citrix Bleed to attack Boeing.

While Boeing did not confirm whether it suffered a ransomware attack or that Citrix Bleed was involved, the CISA advisory Tuesday correlated those reports. In a media call with CISA and the FBI Tuesday, Eric Goldstein, CISA's executive assistant director, applauded Boeing for its collaboration with the public sector. He said the technical information Boeing shared from the attack against its subsidiary allowed CISA to publish more "effective guidance" to help enterprises defend against Citrix Bleed and LockBit attacks.

"We have notified nearly 300 organizations that appear to be running vulnerable instances of the affected devices so that they can mitigate their vulnerabilities before harm occurs," Goldstein said during the media call.

Goldstein added that the joint advisory was published "in response to widespread exploitation by both nation-state and cybercriminal groups of a vulnerability known as Citrix Bleed."

LockBit exploitation

One significant risk Citrix Bleed exploitation poses to enterprises is an attackers' ability to hijack user sessions on vulnerable Citrix products and bypass multifactor authentication (MFA). Identity-based attacks that bypass MFA have been on the rise, and the recent Citrix Bleed campaign showed that the trend isn't going anywhere.

According to the advisory, LockBit threat actors exploited the flaw to hijack session tokens and conduct a seemingly legitimate total account takeover on users' NetScaler ADC and NetScaler Gateway products.

"After acquiring access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens. Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information," the advisory said. "The information obtained through this exploit contains a valid NetScaler AAA session cookie."

The advisory revealed that a PowerShell script was executed prior to malware deployment, and LockBit threat actors were observed using AnyDesk and Splashtop remote management and monitoring tools during the attacks.

"Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks," the advisory said.

Recommended mitigations included isolating NetScaler ADC and NetScaler Gateway devices, securing remote tools and PowerShell, and ensuring systems and software are up to date. For protection against credential theft, CISA urged enterprises to use passwords of at least 15 characters, store passwords in hashed format and require admin credentials to install software.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing