Multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a critical security flaw in Citrix NetScaler ADC and Gateway appliances. The vulnerability, known as Citrix Bleed (CVE-2023-4966), allows attackers to bypass password requirements and MFA, gaining access to user sessions and elevated permissions. Despite Citrix addressing the issue, it became a zero-day exploit as early as August 2023.
Various agencies, such as CISA, FBI, MS-ISAC, and ASD ACSC, have issued a joint advisory warning about the exploitation of this vulnerability. Mandiant has identified four UNC groups involved in targeting different industries in the Americas, EMEA, and APJ regions. LockBit ransomware has recently joined in exploiting the flaw to run PowerShell scripts and remove RMM tools for monitoring activities.
The exploitation of vulnerabilities in exposed services continues to be a major entry point for ransomware attacks. Check Point’s study on ransomware attacks targeting Windows and Linux reveals that Linux ransomware, targeting medium and large organizations, heavily uses the OpenSSL library and specific algorithms, while Windows threats are more generalized.
Security researcher Marc Salinas Fernández notes that Linux ransomware shows a trend towards simplification, relying on basic encryption processes and legitimate system tools. This approach makes the ransomware families highly dependent on external configurations and scripts, making detection more difficult.
Overall, the exploitation of vulnerabilities in Citrix NetScaler ADC and Gateway appliances by threat actors, including LockBit ransomware affiliates, highlights the ongoing threats posed by ransomware attacks. The collaboration between various agencies in issuing advisories and tracking exploit activity underscores the importance of timely patching and security measures to protect against these threats.
Article Source
https://thehackernews.com/2023/11/lockbit-ransomware-exploiting-critical.html