![LockBit Affiliates Target Citrix Bleed Vulnerability (CVE-2023-4966) – A Critical Security Threat LockBit Affiliates Target Citrix Bleed Vulnerability (CVE-2023-4966) - A Critical Security Threat](https://privacy.blackfog.com/wp-content/uploads/2024/01/BF-Blog_Lockbit-Citrix-Bleed_featured-image.png)
Cybersecurity agencies have sounded alarm bells about active exploitation of a critical vulnerability in Citrix application delivery controllers (ADCs) and gateways. This flaw, tracked as CVE-2023-4966 and dubbed “Citrix Bleed” is being leveraged by affiliates of the LockBit ransomware gang to compromise organizations across sectors.
The Vulnerability (CVE-2023-4966)
CVE-2023-4966 stems from a session management issue in the web-based management interface used to configure Citrix NetScaler ADCs and gateways. By sending specially crafted HTTP requests, attackers can indefinitely reset the login timeout timer. This allows them to keep sessions open without credentials, enabling them to bypass single-factor and multi-factor authentication.
With their foothold established, cybercriminals can disable security settings, extract passwords and tokens, and move laterally across networks. This grants optimal access for deploying ransomware, exfiltrating sensitive data, and planting covert backdoors. The deep system-level access from the Citrix Bleed exploit facilitates sophisticated and difficult-to-detect intrusions.
Software Versions Affected
The vulnerability impacts the following Citrix software versions:
Software | Affected Versions |
---|---|
NetScaler ADC and NetScaler Gateway | 14.1 before 14.1-8.50 |
NetScaler ADC and NetScaler Gateway | 13.1 before 13.1-49.15 |
NetScaler ADC and NetScaler Gateway | 13.0 before 13.0-92.19 |
NetScaler ADC and NetScaler Gateway | Version 12.1 (EOL) |
NetScaler ADC | 13.1FIPS before 13.1-37.163 |
NetScaler ADC | 12.1-FIPS before 12.1-55.300 |
NetScaler ADC | 12.1-NDcPP before 12.1-55.300 |
Active Threat Campaigns
![Boeing Citrix Bleed Exploitation Boeing Citrix Bleed Exploitation](https://privacy.blackfog.com/wp-content/uploads/2024/01/BF-Blog_Lockbit-Citrix-Bleed_Mid-Banner.png)
LockBit operators are exploiting Citrix Bleed to establish persistence and pivot across networks during recent ransomware attacks. Multiple confirmed incidents involve LockBit affiliates leveraging this vulnerability as an initial access vector and privilege escalation method.
One high-profile target was aerospace giant Boeing, which suffered a disruptive breach attributed to the exploitation of Citrix Bleed. LockBit deployed ransomware across parts of Boeing’s network and exfiltrated employee personal data.
In addition to this, we have seen heightened activity taking place on forums associated with cybercrime and networks, with users sharing proof of concepts on how to exploit the vulnerability.
![Citrix Bleed CVE 2023 4966 Citrix Bleed CVE 2023 4966](https://privacy.blackfog.com/wp-content/uploads/2024/01/cve-2023-4966.png)
Citrix Bleed CVE 2023 4966
A redacted proof of concept being shared on a cybercrime forum for CVE-2023-4966
Hunting & Detection Guidance
The following can help identify potential exploitation of CVE-2023-4966 and LockBit activity:
- Search for filenames that contain tf0gYx2YI for identifying LockBit encrypted files
- LockBit actors were seen using the C:\Temp directory for loading and the execution of files
- Investigate requests to the HTTP/S endpoint from WAF
- Hunt for suspicious login patterns from NetScaler logs
- Hunt for suspicious virtual desktop agent Windows Registry keys
- Analyze memory core dump files
Mitigation Recommendations
To reduce risk from Citrix Bleed and LockBit, agencies advise organizations to take the following countermeasures:
- Isolate NetScaler devices until vendor patches can be tested and deployed
- Secure remote access tools by allowlisting approved software
- Limit use of RDP and remote desktops
- Restrict PowerShell usage and enable enhanced logging
- Keep all systems and software updated
- Test incident response plans for restoring data and systems
For more information regarding CVE-2023-4966, read the official advisory located here.
Your Next Steps with BlackFog
One of the most concerning cyberthreats today is data theft followed by a demand for ransom. It is crucial to have endpoint security monitoring every device on your network. This security closely monitors outbound traffic for any suspicious attempts to exfiltrate data.
Anti Data Exfiltration (ADX) tools, in particular, work in the background constantly, providing 24/7 automated protection. This preventative approach blocks any unusual data transfers before sensitive information is taken. This helps prevent exfiltration and extortion attempts at an early stage.
Best of all, these tools automatically disrupt problematic activities with few false alarms. This eliminates the need for time-consuming data analysis afterwards. With ADX guarding the gates, you can feel secure knowing that even if an intruder finds their way in to your network, they will unable to remove the data, therefore mitigating the risk of breaches and extortion. Schedule a free ransomware assessment with BlackFog and find out how we can assist you.
Related Posts
BlackFog Strengthens Leadership Team with Strategic Appointments
BlackFog strengthens leadership and the next stage of growth with Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.
The CrowdStrike Incident: A Global IT Meltdown
Discover how the recent CrowdStrike incident caused a global IT meltdown, affecting thousands of businesses. Learn about the event timeline, its impact, and how BlackFog's advanced practices can help prevent such risks. Stay informed and protect your business from future cybersecurity threats.
6 Essential Ransomware Prevention Steps Every Firm Must Take in 2024
What essential ransomware prevention steps must businesses take as the scale of this threat continues to rise?
Data Protection vs Data Security: The key Differences to Know
Are you aware of the difference between data protection and data security? Here's what you know to keep your data safe.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
Understanding Data Privacy and Security: How do they Relate?
Data privacy and security are critical topics for any business to focus on in today's environment. The rising costs of cyberattacks and other threats mean a clear strategy for safeguarding sensitive data is more important than ever before.