LockBit Ransomware Operators Targeting CitrixBleed in Coordinated Attacks

Image source: Shutterstock

China’s ICBC, Boeing, Australian logistics giant DP World, major law firm among known victims so far; More than 5,000 organizations worldwide remain unpatched and vulnerable to CVE-2023-4966

Multiple LockBit ransomware operators are apparently working in a coordinated manner to break into major organizations via “CitrixBleed” (CVE-2023-4966) a critical vulnerability in several versions of Citrix’ NetScaler ADC and NetScaler Gateway application delivery technology.

So far, known victims of LockBit’s CitrixBleed strike team  include the Industrial and Commercial Bank of China (ICBC) Financial Services, Boeing, Australian logistics giant DP World and Allen & Overy, one of the world’s largest law firms.

Quick Links

CitrixBleed vulnerability disclosure: CVE-2023-4966

Patch and mitigation information: Critical security update now available for NetScaler ADC and NetScaler Gateway

Mandiant’s Guidance: Citrix NetScaler ADC/Gateway: CVE-2023-4966 Remediation

US Cybersecurity and Infrastructure Security Agency (CISA) guidance: CISA Releases Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed

Reports on attack activity targeting CitrixBleed:

LockBit ransomware group assemble strike team to breach banks, law firms and governmentsCitrix Bleed Vulnerability: Background and Recommendations

Attacks Impact Multiple Sectors

Security researcher Kevin Beaumont who has been tracking the attacks on Monday reported observing LockBit incidents involving the Citrix NetScaler bug across multiple industry sectors including finance, freight, legal and defense. “I am tracking over 10 victims currently being extorted, and lots more in initial stages,” Beaumont said.

CVE-2023-4966 is a buffer overflow bug that gives attackers a way to access sensitive information. Citrix has assigned the CitrixBleed vulnerability a critical severity rating of 9.4 on 10 based on the fact that it is remotely exploitable, involves little attack complexity and requires no special privileges or user interaction. “This vulnerability allows the bypass of all multi-factor authentication controls and provides a point and click desktop PC within the impacted victim’s internal network via “VDI” — think Remote Desktop or RDP,” Beaumont said.

The CitirxBleed bug is trivial to exploit, and there are typically no logs about the initial exploit activity because Citrix NetScaler does not log the exploit request, the security researcher noted.

Update Now

Citrix issued updated versions of affected NetScaler ADC and Gateway on October 10, or several weeks after threat actors first began exploiting the flaw. Mandiant, which reported the flaw to Citrix has recommended that organizations also “terminate all active and persistent sessions (per appliance)” because of the potential for previously hijacked sessions to persist even after an update. Prior to the update being deployed, we have observed session hijacking where session data was stolen and subsequently used by a threat actor,” Mandiant reported. “These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed.”

According to Beaumont, after LockBit actors gain initial access on a target system via CitrixBleed they have been deploying Atera and similar remote access tool to enable persistent, remote, interactive PowerShell requests without triggering any EDR alerts or without altering users about their sessions being hijacked. “After access, the victims are passed to the execution team,” he said. “This team escalates privileges via a variety of techniques, terminates EDR controls, steals data and ultimately deploys ransomware.” More than 5,000 organizations have not yet updated their Citrix NetScaler devices to fixed versions and remain exposed to attacks like the ones that LockBit actors have been carrying out, Beaumont said.

Substantial Attacker Interest

GreyNoise, which monitors Internet traffic for malicious activity reported observing attempts to exploit CVE-2023-4966 from at least 63 unique IP addresses between Nov 11 and Nov 14.

Security vendor ReliaQuest has identified four separate criminal groups currently targeting CitrixBleed. “Urgent remedial action, including installing updated versions of Netscaler Gateway and ADC and killing active sessions, is strongly recommended by CISA and Citrix’s owner Cloud Software Group,” ReliaQuest said.