The Citrix Bleed Trail Leads to an Organized LockBit Campaign

Category: Ransomware News | Industry: Global | Source: DoublePulsar

A series of breaches initiated by the LockBit ransomware gang, emphasizes an immediate urgency to patch NetScaler vulnerability CVE-2023-4966 aka Citrix Bleed to guard against session hijacking exploits. Investigation of the vulnerability conducted by security researcher Kevin Beaumont, reveals the vulnerability as a common denominator in recent breaches affecting major organizations like the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. These entities were found to have vulnerable Citrix instances susceptible to the Citrix Bleed flaw. Thousands of internet-exposed endpoints remain vulnerable, and Beaumont highlights that LockBit's data leak might not accurately represent the full scope of impacted entities, possibly with some in negotiation phases.

A visibility gap in NetScaler's logging aids the lucrativeness of the vulnerability. As Beaumont explains the "initial exploitation has no logs at all as Citrix Netscaler/Gateway fails to log the exploit request — a product defect that Citrix really need to own and fix." Aided with the installation of remote access software such as Atera, to maintain access, LockBit affiliates are able to persistent and bypass session termination from unsupported concurrent connections. Having the vulnerability all figured out, LockBit is also described as having a streamlined approach to their attacks with dedicated "strike teams" in charge of escalating privileges, disabling security applications, and fulfilling ransom deployment.

Beaumont's report illuminates the efficiency and agility with which threat actors execute their attacks, emphasizing their capability to exploit organizational vulnerabilities. Their attacks expose weak points within organizations, particularly noteworthy when considering that threat actors, in their need to scope and navigate through an environment, may possess a better understanding of an organization's network than its own personnel. The intricacies of asset, patch, and vulnerability management play vital roles in shaping an organization's security posture. As Beaumont emphasizes, "You need to be able to identify and patch something like CitrixBleed within 24 hours — if you cannot, there is a very real possibility it isn’t the ideal product fit for your organization due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose."