Criminal threat groups and nation-state actors have been exploiting a critical vulnerability in Citrix Netscaler ADC and Netscaler Gateway, as warned by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The vulnerability, known as CitrixBleed, has been used by LockBit 3.0 affiliates to gain access to Boeing’s parts and distribution unit for a ransomware attack.
CISA has been working through its Ransomware vulnerability warning program to notify nearly 300 organizations about their vulnerable instances of the devices and the need to take mitigation steps. Eric Goldstein, from CISA’s cybersecurity team, mentioned in a conference call with reporters about the importance of addressing these vulnerabilities before being attacked.
The attack on Boeing is just one of many instances of exploitation activity since the vulnerability was revealed this summer. Citrix released a patch for the vulnerability, but Mandiant researchers have seen exploitation as early as August. This has led to warnings to Citrix customers to delete old sessions to prevent further access by threat groups.
The recent wave of ransomware attacks tied to CitrixBleed has been described as opportunistic by Charles Carmakal, the CTO of Mandiant Consulting. Hackers are able to bypass passwords and multi-factor authentication to hijack legitimate user sessions using CitrixBleed. Federal authorities have provided a detailed analysis of the exploitation techniques used in these attacks, noting an attempt by threat groups to target smaller organizations and local government entities.
Citrix has advised Netscaler customers to upgrade to the latest versions and implement recommended mitigation measures, such as reviewing security logs. Security researcher Kevin Beaumont has linked CitrixBleed to several recent major attacks and warns that some retailers may still be unprotected as Black Friday approaches. The advisory issued by CISA and the FBI was done in collaboration with the Australian Signals Directorate’s Multi-State Information Sharing and Analysis Center and the Australian Cyber Security Centre.
Article Source
https://www.cybersecuritydive.com/news/cisa-fbi-threat-groups-citrixbleed/700607/
