A collaborative effort among key cybersecurity agencies—Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)—has issued a joint Cybersecurity Advisory (CSA) to disseminate critical information concerning the LockBit 3.0 ransomware’s exploitation of the CVE-2023-4966 vulnerability, known as Citrix Bleed. This vulnerability impacts Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances
The advisory provides detailed insights into the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with LockBit 3.0 ransomware, including insights obtained from Boeing, which observed LockBit 3.0 affiliates exploiting CVE-2023-4966 to gain initial access to its environment, specifically Boeing Distribution Inc.’s parts and distribution business.
Notably, LockBit 3.0 ransomware attacks have historically targeted organizations across critical infrastructure sectors such as education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. These attacks exhibit varying TTPs, making detection challenging.
The Citrix Bleed vulnerability exploited by LockBit 3.0 enables threat actors to bypass password requirements and multifactor authentication, facilitating session hijacking of legitimate user sessions on Citrix NetScaler ADC and Gateway appliances. This unauthorized access empowers malicious actors to obtain credentials, move laterally within networks, and access sensitive data.
To mitigate this threat, network administrators are strongly urged to apply the recommended mitigations, including isolating affected NetScaler ADC and Gateway appliances and promptly applying necessary software updates available through the Citrix Knowledge Center.
The advisory further advises network defenders to actively search for potential malicious activity by utilizing the provided detection methods and IOCs. In case of a suspected compromise, organizations are advised to follow incident response recommendations. Additionally, prompt application of available patches is recommended to mitigate the risk of exploitation.
Top of Form
Top of Form