LockBit Ransomware Affiliates Leverage Citrix Bleed Vulnerability (CVE-2023-4966)

Cybersecurity agencies have sounded alarm bells about active exploitation of a critical vulnerability in Citrix application delivery controllers (ADCs) and gateways. This flaw, tracked as CVE-2023-4966 and dubbed “Citrix Bleed” is being leveraged by affiliates of the LockBit ransomware gang to compromise organizations across sectors.

CVE-2023-4966 stems from a session management issue in the web-based management interface used to configure Citrix NetScaler ADCs and gateways. By sending specially crafted HTTP requests, attackers can indefinitely reset the login timeout timer. This allows them to keep sessions open without credentials, enabling them to bypass single-factor and multi-factor authentication.

With their foothold established, cybercriminals can disable security settings, extract passwords and tokens, and move laterally across networks. This grants optimal access for deploying ransomware, exfiltrating sensitive data, and planting covert backdoors. The deep system-level access from the Citrix Bleed exploit facilitates sophisticated and difficult-to-detect intrusions.

The vulnerability impacts the following Citrix software versions:

LockBit operators are exploiting Citrix Bleed to establish persistence and pivot across networks during recent ransomware attacks. Multiple confirmed incidents involve LockBit affiliates leveraging this vulnerability as an initial access vector and privilege escalation method.

One high-profile target was aerospace giant Boeing, which suffered a disruptive breach attributed to the exploitation of Citrix Bleed. LockBit deployed ransomware across parts of Boeing’s network and exfiltrated employee personal data.

In addition to this, we have seen heightened activity taking place on forums associated with cybercrime and networks, with users sharing proof of concepts on how to exploit the vulnerability.

The following can help identify potential exploitation of CVE-2023-4966 and LockBit activity:

1. Search for filenames that contain tf0gYx2YI for identifying LockBit encrypted files
2. LockBit actors were seen using the C:\Temp directory for loading and the execution of files
3. Investigate requests to the HTTP/S endpoint from WAF
4. Hunt for suspicious login patterns from NetScaler logs
5. Hunt for suspicious virtual desktop agent Windows Registry keys
6. Analyze memory core dump files

To reduce risk from Citrix Bleed and LockBit, agencies advise organizations to take the following countermeasures:

1. Isolate NetScaler devices until vendor patches can be tested and deployed
2. Secure remote access tools by allowlisting approved software
3. Limit use of RDP and remote desktops
4. Restrict PowerShell usage and enable enhanced logging
5. Keep all systems and software updated
6. Test incident response plans for restoring data and systems

For more information regarding CVE-2023-4966, read the official advisory located here.

One of the most concerning cyberthreats today is data theft followed by a demand for ransom. It is crucial to have endpoint security monitoring every device on your network. This security closely monitors outbound traffic for any suspicious attempts to exfiltrate data.

Anti Data Exfiltration (ADX) tools, in particular, work in the background constantly, providing 24/7 automated protection. This preventative approach blocks any unusual data transfers before sensitive information is taken. This helps prevent exfiltration and extortion attempts at an early stage.

Best of all, these tools automatically disrupt problematic activities with few false alarms. This eliminates the need for time-consuming data analysis afterwards. With ADX guarding the gates, you can feel secure knowing that even if an intruder finds their way in to your network, they will unable to remove the data, therefore mitigating the risk of breaches and extortion. Schedule a free ransomware assessment with BlackFog and find out how we can assist you.