The US Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and the Australian Cyber Security Center (ACSC), have released detailed information on how the LockBit ransomware gang exploited the Citrix Bleed vulnerability to access Boeing’s systems. This vulnerability, known as CVE-2023-4966, affects Citrix NetScaler web applications and has been used by nation state actors as well as LockBit. By bypassing password requirements and multi-factor authentication, threat actors were able to hijack legitimate user sessions, gaining access to credentials and resources.
Boeing voluntarily shared this information to raise awareness of the impact of Citrix Bleed, and CISA has since notified nearly 300 organizations with vulnerable instances of the affected devices. The LockBit subsidiary used Citrix Bleed to gain access to valid NetScaler session cookies and establish an authentication session without requiring login credentials.
After removing remote management tools, LockBit leaked approximately 40GB of data from Boeing’s systems but Boeing has confirmed that flight safety was not compromised. CISA, the FBI, and the ACSC are urging network administrators to apply the recommended mitigations, isolate NetScaler devices, and search for malicious activity on their networks. They also emphasize the importance of applying the necessary Citrix patches that have been available for over a month.
Article Source
https://www.computerweekly.com/news/366560675/CISA-reveals-how-LockBit-hacked-Boeing-via-Citrix-Bleed
