LockBit Ransomware Operators Actively Exploiting Citrix Bleed Vulnerability


December 11, 2023

World map

CISA, the FBI, the MS-ISAC and the Australian Signals Directorate released a joint Cybersecurity Advisory (CSA) to address LockBit ransomware operators exploiting the Citrix Bleed vulnerability (CVE-2023-4966) that impacts the Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

“Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources,” the alert states.

“CISA and the authoring organizations strongly encourage network administrators to apply the mitigations found in this CSA, which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center.”

Takeaway: Research from earlier this year found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019 for which patches were already available.  

Most of the vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for patching or were simply never addressed.

For many of these vulnerabilities, exploits have been available for quite some time, and in many cases, the exploits have been built into toolkits and largely automated, so we're also seeing an increase in ransomware attacks displaying these more sophisticated attack sequences.

Right now, ransomware gangs are actively exploiting CVE-2023-4966, dubbed Citrix Bleed, which impacts the Citrix NetScaler web application delivery control (ADC) and the NetScaler Gateway appliance, which are used by thousands of organizations around the world.  

In early October, the NetScaler Cloud Software Group released updated builds to address CVE-2023-4966, yet many organizations have yet to upgrade to the secure versions.

Many might wonder why organizations who are at risk have not yet implemented a fix for the vulnerabilities, as well as for known bugs in application like GoAnywhere and MOVEit that ransomware operators have been exploiting to victimize thousands of targets all year long?

There are two reasons an organization fails to patch or upgrade versions in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t.  

Organizations who could but opt not to patch or upgrade really don’t have any excuse. But the organizations who wanted to patch but couldn’t are the more typical case.

In many cases, patching is not as easy as just downloading the most current version of a vulnerable software, it can be a highly complex task for some organizations.  

In order to avoid breaking critical business systems, patches and new version builds often need to be applied in a development environment and tested prior to introducing the updates in the production environment.  

Even then, some issues prevent patching and version upgrades due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied haphazardly. Thus, there can be months or more of work to do before they can be protected.  

Assessing risk exposure is not always a simple process either if the organization does not have good visibility into all the systems and software running in their environment.  

For example, when the Log4Shell exploit emerged organizations had to scramble to assess where their exposure was because the Log4J utility is so widely used with little in the way of documentation as to where the look for it - hence the push for a Software Bill of Materials (SBOM) to make this task easier.  

Unfortunately, there are bug fixes releases all the time, and in many cases timely patching is simply not a high priority for some organizations because their IT and security staffing and resources are minimal, especially in sectors that are predominantly non-profit or run on thin margins like healthcare, education, retail and others.

The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in nation-state operations.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.