Cybersecurity agencies have sounded alarm bells about active exploitation of a critical vulnerability in Citrix application delivery controllers (ADCs) and gateways. This flaw, tracked as CVE-2023-4966 and dubbed “Citrix Bleed” is being leveraged by affiliates of the LockBit ransomware gang to compromise organizations across sectors.
The Vulnerability (CVE-2023-4966)
CVE-2023-4966 stems from a session management issue in the web-based management interface used to configure Citrix NetScaler ADCs and gateways. By sending specially crafted HTTP requests, attackers can indefinitely reset the login timeout timer. This allows them to keep sessions open without credentials, enabling them to bypass single-factor and multi-factor authentication.
With their foothold established, cybercriminals can disable security settings, extract passwords and tokens, and move laterally across networks. This grants optimal access for deploying ransomware, exfiltrating sensitive data, and planting covert backdoors. The deep system-level access from the Citrix Bleed exploit facilitates sophisticated and difficult-to-detect intrusions.
Software Versions Affected
The vulnerability impacts the following Citrix software versions:
Software | Affected Versions |
---|---|
NetScaler ADC and NetScaler Gateway | 14.1 before 14.1-8.50 |
NetScaler ADC and NetScaler Gateway | 13.1 before 13.1-49.15 |
NetScaler ADC and NetScaler Gateway | 13.0 before 13.0-92.19 |
NetScaler ADC and NetScaler Gateway | Version 12.1 (EOL) |
NetScaler ADC | 13.1FIPS before 13.1-37.163 |
NetScaler ADC | 12.1-FIPS before 12.1-55.300 |
NetScaler ADC | 12.1-NDcPP before 12.1-55.300 |
Active Threat Campaigns
LockBit operators are exploiting Citrix Bleed to establish persistence and pivot across networks during recent ransomware attacks. Multiple confirmed incidents involve LockBit affiliates leveraging this vulnerability as an initial access vector and privilege escalation method.
One high-profile target was aerospace giant Boeing, which suffered a disruptive breach attributed to the exploitation of Citrix Bleed. LockBit deployed ransomware across parts of Boeing’s network and exfiltrated employee personal data.
In addition to this, we have seen heightened activity taking place on forums associated with cybercrime and networks, with users sharing proof of concepts on how to exploit the vulnerability.
Hunting & Detection Guidance
The following can help identify potential exploitation of CVE-2023-4966 and LockBit activity:
- Search for filenames that contain tf0gYx2YI for identifying LockBit encrypted files
- LockBit actors were seen using the C:\Temp directory for loading and the execution of files
- Investigate requests to the HTTP/S endpoint from WAF
- Hunt for suspicious login patterns from NetScaler logs
- Hunt for suspicious virtual desktop agent Windows Registry keys
- Analyze memory core dump files
Mitigation Recommendations
To reduce risk from Citrix Bleed and LockBit, agencies advise organizations to take the following countermeasures:
- Isolate NetScaler devices until vendor patches can be tested and deployed
- Secure remote access tools by allowlisting approved software
- Limit use of RDP and remote desktops
- Restrict PowerShell usage and enable enhanced logging
- Keep all systems and software updated
- Test incident response plans for restoring data and systems
For more information regarding CVE-2023-4966, read the official advisory located here.
Your Next Steps with BlackFog
One of the most concerning cyberthreats today is data theft followed by a demand for ransom. It is crucial to have endpoint security monitoring every device on your network. This security closely monitors outbound traffic for any suspicious attempts to exfiltrate data.
Anti Data Exfiltration (ADX) tools, in particular, work in the background constantly, providing 24/7 automated protection. This preventative approach blocks any unusual data transfers before sensitive information is taken. This helps prevent exfiltration and extortion attempts at an early stage.
Best of all, these tools automatically disrupt problematic activities with few false alarms. This eliminates the need for time-consuming data analysis afterwards. With ADX guarding the gates, you can feel secure knowing that even if an intruder finds their way in to your network, they will unable to remove the data, therefore mitigating the risk of breaches and extortion. Schedule a free ransomware assessment with BlackFog and find out how we can assist you.
Related Posts
Manufacturing Industry Faces Surge in Ransomware Attacks in 2024
Ransomware attacks on the manufacturing industry are rising, with notable cases at MKS Instruments, Brunswick Corporation, Simpson Manufacturing, and The Clorox Company. Learn about the financial and operational impacts and why manufacturers are prime targets for cybercriminals.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
Enterprise Ransomware Protection: Why it Matters
Why must enterprise ransomware protection be a critical component of any firm's cyber security strategy?
TAG Blog Series 1 – How ADX Supports and Implements Policy
Implementing Anti Data Exfiltration (ADX) solutions is critical for enterprise security. This article provides guidance on establishing effective ADX deployment policies, with a focus on aligning them with business objectives and threat perceptions. Highlighting BlackFog's ADX solution, it explores proactive strategies to prevent data exfiltration, offering valuable insights for practitioners aiming to enhance their security posture.
5 Steps to Ensure Your Enterprise Data Security
Why do enterprise data security strategies need to evolve to cope with a new range of threats?
Ransomware Recovery: Key Steps Every Firm Should Know
What should businesses keep in mind in order to develop an effective ransomware recovery plan?