LockBit Affiliates Exploit Citrix Bleed, Government Agencies Warn


Several government agencies and cybersecurity organizations have sounded the alarm in response to several groups of threat actors exploiting Citrix Bleed, a vulnerability affecting Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

As part of the #StopRansomware coalition, an opinion was released on November 21 to warn organizations of the continued exploitation of the vulnerability by affiliates of the LockBit 3.0 ransomware group.

The coalition includes the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Australian Cyber ​​Security Center (ACSC).

THE joint advice describes the vulnerability, tactics, techniques, and procedures (TTPs) used by threat actors and the indicators of compromise (IOCs) that organizations that may have been targeted should investigate.

The #StopRansomware coalition also shared a technical report bringing together the results of an initial analysis of Citrix Bleed conducted by CISA.

“If a compromise is detected, author organizations encourage network defenders to scan their networks for malicious activity using the detection methods and IOCs provided in the CSA and apply incident response recommendations. Additionally, immediate application of publicly available patches is also recommended,” the joint opinion states.

What is Citrix Bleed?

Citrix Bleed or CitrixBleed (CVE-2023-4966), is a critical software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances identified for exploitation as early as August 2023. This vulnerability allows malicious actors to bypass multi-factor authentication (MFA) and hijack legitimate user sessions.

Citrix publicly disclosed the vulnerability on October 10, 2023 in the Citrix Security Bulletin, which published guidance and detailed affected products, IOCs, and recommendations.

Based on widely available public exploits and evidence of active exploitation, CISA added this vulnerability to the Catalog of Known Exploited Vulnerabilities (KEV). This critical vulnerability exploit affects the following software versions:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC and NetScaler Gateway version 12.1 (EOL)
  • NetScaler ADC 13.1FIPS before 13.1-37.163
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

How do LockBit Affiliates use Citrix Bleed?

LockBit 3.0 affiliates have recently begun leveraging Citrix Bleed to target large organizations, including BoeingTHE Industrial and Commercial Bank of China (ICBC), Allen & Overy and DP World.

Security researcher Kevin Beaumont said the attacks were “carried out in a coordinated manner between multiple LockBit operators – a strike team aimed at breaking into organizations using CitrixBleed and then demanding ransom from them.”

Although access was “incredibly easy” – at least before the patch was installed – the real challenge for threat actors has been maintaining access, “because hijacking a session boots the legitimate user, and the legitimate user starts the attacker when he does so. reconnect,” Beaumont explained.

After gaining access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens. Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable device returning system memory information. The information obtained from this exploit contains a valid NetScaler AAA session cookie.

According to CISA Director Jen Easterly, Boeing provided vital information that helped develop the joint advisory issued #StopRansomware.

Leave a comment