LockBit’s use of Citrix vulnerability to breach Boeing and other targets – Help Net Security

Spread the love



A critical cybersecurity vulnerability known as CVE-2023-4966, dubbed “Citrix Bleed,” has been exploited by LockBit 3.0 affiliates to breach Boeing’s parts and distribution business. Other trusted third parties have also reported similar activity impacting their organizations. This information was confirmed by cybersecurity and law enforcement officials in a joint advisory released on Tuesday.

The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and officials from the Australian Cyber ​​Security Center (ACSC) have shared details on the tactics, techniques, and procedures used by LockBit attackers. This includes indicators of compromise (IoC) gathered from Boeing and other sources.

The vulnerability in question, Citrix Bleed, was patched by Netscaler in early October 2023. However, mass exploitation began towards the end of the month. It was discovered that the vulnerability had been exploited as a zero-day since August 2023. Citrix Bleed allows attackers to bypass password and multi-factor authentication requirements on vulnerable Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway devices.

LockBit attackers exploit this flaw to gain temporary access and then establish persistence on the compromised systems. They deploy remote access tools to maintain a foothold and acquire elevated permissions to carry out malicious activities such as credential theft, lateral movement, data exfiltration, and ransomware deployment.

The advisory shared by the authorities contains a wealth of IoCs that organizations can use to identify if they have been targeted by LockBit. It also provides guidance for threat hunters and advises on incident response best practices.

It has been observed that various threat actors, including ransomware gangs, are taking advantage of Citrix Bleed. LockBit affiliates have targeted high-profile organizations such as Boeing, the law firm Allen & Overy, the Industrial and Commercial Bank of China (ICBC), and the Australian shipping company DP World. Security researcher Kevin Beaumont emphasized the importance of promptly identifying and patching vulnerabilities like Citrix Bleed to mitigate the risks associated with such attacks.

Organizations are advised to understand their network’s limitations and the potential risks posed by vulnerable products. If unable to address vulnerabilities like Citrix Bleed within 24 hours, it may indicate that the product is not suitable for the organization’s security architecture. It is crucial to assess the security posture and consider alternative solutions to mitigate cybersecurity risks effectively.

Article Source
https://www.helpnetsecurity.com/2023/11/22/lockbit-citrix-bleed/