Ransomware Operators Continue to Exploit Citrix Bleed Vulnerability


February 13, 2024

World map

Planet Home Lending disclosed they were the victim of an attack by the LockBit ransomware gang by way of a known vulnerability in the Citrix NetScaler web application delivery control (ADC) and the NetScaler Gateway appliance.

It is estimated that the personal data of more than 200,000 Planet Home customers were compromised, including names, addresses, Social Security numbers, loan numbers, and financial account numbers.

“While Planet had implemented multiple layers of security tools designed to prevent this type of unauthorized access, the threat actor was able to exploit this Citrix Bleed vulnerability to bypass these protections,” SC Magazine reports.

“Many of these industries have data retention requirements for legal, compliance or regulatory reasons. Because of these requirements, it’s not uncommon for companies to retain a large amount of past customer data — increasing the size of target on their backs.”

Takeaway: The LockBit ransomware gang has been actively exploiting CVE-2023-4966, dubbed Citrix Bleed, which impacts the Citrix NetScaler web application delivery control (ADC) and the NetScaler Gateway appliance, which are used by thousands of organizations around the world.  

In early October, the NetScaler Cloud Software Group released updated builds to address CVE-2023-4966, yet many organizations have yet to upgrade to the secure versions.  

Many might wonder why organizations who are at risk have not yet implemented a fix for the vulnerabilities, as well as for known bugs in application like GoAnywhere and MOVEit that ransomware operators have been exploiting to victimize thousands of targets all year long?

There are two reasons an organization fails to patch or upgrade versions in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t.

Organizations who could but opt not to patch or upgrade really don’t have any excuse. But the organizations who wanted to patch but couldn’t are the more typical case. In many cases, patching is not as easy as just downloading the most current version of a vulnerable software, it can be a highly complex task for some organizations.

To avoid breaking critical business systems, patches and new version builds often need to be applied in a development environment and tested prior to introducing the updates in the production environment.  

Even then, some issues prevent patching and version upgrades due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied haphazardly. There can be months or more of work to do before they can be protected.  

Unfortunately, there are bug fixes releases all the time, and in many cases timely patching is simply not a high priority for some organizations because their IT and security staffing and resources are minimal.

Research from 2023 noted that more than three-quarters of all ransomware-related vulnerability exploits observed targeted bugs that were disclosed between 2010 and 2019 for which patches were already available.  

Most of those exploited vulnerabilities were low to medium severity, so they were likely to be a low priority for patching or were never addressed. Attackers are often looking for the lowest hanging fruit, and with older vulnerabilities, it’s likely that exploits have been built into toolkits and automated

Patching can be difficult in some circumstances and take time, but there is no excuse for organizations to be unaware that they need to patch a known vulnerability. Attackers are automating the discovery and exploitation of these vulnerable systems, so organizations should have processes in place to understand if they are exposed.

There is no reason for organizations to be caught off guard.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.