LockBit Affiliates Target Citrix Bleed Vulnerability (CVE-2023-4966) - A Critical Security Threat
By |Published On: March 7th, 2024|4 min read|Categories: Exploits, Ransomware|

Cybersecurity agencies have sounded alarm bells about active exploitation of a critical vulnerability in Citrix application delivery controllers (ADCs) and gateways. This flaw, tracked as CVE-2023-4966 and dubbed “Citrix Bleed” is being leveraged by affiliates of the LockBit ransomware gang to compromise organizations across sectors.

The Vulnerability (CVE-2023-4966)

CVE-2023-4966 stems from a session management issue in the web-based management interface used to configure Citrix NetScaler ADCs and gateways. By sending specially crafted HTTP requests, attackers can indefinitely reset the login timeout timer. This allows them to keep sessions open without credentials, enabling them to bypass single-factor and multi-factor authentication.

With their foothold established, cybercriminals can disable security settings, extract passwords and tokens, and move laterally across networks. This grants optimal access for deploying ransomware, exfiltrating sensitive data, and planting covert backdoors. The deep system-level access from the Citrix Bleed exploit facilitates sophisticated and difficult-to-detect intrusions.

Software Versions Affected

The vulnerability impacts the following Citrix software versions:

Software Affected Versions
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC and NetScaler Gateway Version 12.1 (EOL)
NetScaler ADC 13.1FIPS before 13.1-37.163
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300

Active Threat Campaigns

Boeing Citrix Bleed Exploitation

LockBit operators are exploiting Citrix Bleed to establish persistence and pivot across networks during recent ransomware attacks. Multiple confirmed incidents involve LockBit affiliates leveraging this vulnerability as an initial access vector and privilege escalation method.

One high-profile target was aerospace giant Boeing, which suffered a disruptive breach attributed to the exploitation of Citrix Bleed. LockBit deployed ransomware across parts of Boeing’s network and exfiltrated employee personal data.

In addition to this, we have seen heightened activity taking place on forums associated with cybercrime and networks, with users sharing proof of concepts on how to exploit the vulnerability.

Citrix Bleed CVE 2023 4966

Citrix Bleed CVE 2023 4966

A redacted proof of concept being shared on a cybercrime forum for CVE-2023-4966

Hunting & Detection Guidance

The following can help identify potential exploitation of CVE-2023-4966 and LockBit activity:

  1. Search for filenames that contain tf0gYx2YI for identifying LockBit encrypted files
  2. LockBit actors were seen using the C:\Temp directory for loading and the execution of files
  3. Investigate requests to the HTTP/S endpoint from WAF
  4. Hunt for suspicious login patterns from NetScaler logs
  5. Hunt for suspicious virtual desktop agent Windows Registry keys
  6. Analyze memory core dump files

Mitigation Recommendations

To reduce risk from Citrix Bleed and LockBit, agencies advise organizations to take the following countermeasures:

  1. Isolate NetScaler devices until vendor patches can be tested and deployed
  2. Secure remote access tools by allowlisting approved software
  3. Limit use of RDP and remote desktops
  4. Restrict PowerShell usage and enable enhanced logging
  5. Keep all systems and software updated
  6. Test incident response plans for restoring data and systems

For more information regarding CVE-2023-4966, read the official advisory located here.

Your Next Steps with BlackFog

One of the most concerning cyberthreats today is data theft followed by a demand for ransom. It is crucial to have endpoint security monitoring every device on your network. This security closely monitors outbound traffic for any suspicious attempts to exfiltrate data.

Anti Data Exfiltration (ADX) tools, in particular, work in the background constantly, providing 24/7 automated protection. This preventative approach blocks any unusual data transfers before sensitive information is taken. This helps prevent exfiltration and extortion attempts at an early stage.

Best of all, these tools automatically disrupt problematic activities with few false alarms. This eliminates the need for time-consuming data analysis afterwards. With ADX guarding the gates, you can feel secure knowing that even if an intruder finds their way in to your network, they will unable to remove the data, therefore mitigating the risk of breaches and extortion. Schedule a free ransomware assessment with BlackFog and find out how we can assist you.

Share This Story, Choose Your Platform!

Related Posts

  • BlackFog V5

BlackFog unveils AI based anti data exfiltration (ADX) platform for ransomware and data loss prevention

November 12th, 2024|

BlackFog unveils the latest version of its AI based anti data exfiltration (ADX) platform for even more powerful ransomware and data loss prevention. Version 5 introduces new features including air gap protection, real-time geofencing, and baseline activity monitoring to ensure the highest level of cybersecurity protection.

Data Exfiltration Detection: Best Practices and Tools

November 1st, 2024|

Data exfiltration, a tactic used in 93% of ransomware attacks, can lead to severe consequences including financial losses, reputational damage, and loss of customer trust. To mitigate these risks, organizations must implement effective detection strategies and technologies.