CISA issues joint Cybersecurity Advisory on Citrix Bleed.
By Tim Nodar, CyberWire senior staff writer
Nov 21, 2023

Beware of exploitation by both crooks and spies.

CISA issues joint Cybersecurity Advisory on Citrix Bleed.

The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) have released a joint Cybersecurity Advisory outlining LockBit 3.0 ransomware affiliates’ exploitation of the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

Ongoing exploitation by both criminals and intelligence services.

CISA notes that both cybercriminal and nation-state threat actors are exploiting the vulnerability, which received a patch in October.

The advisory states, “Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”

Recent Citrix Bleed exploitation in ransomware attacks.

Citrix issued patches for the flaw on October 10th, although it had been exploited as a zero-day beforehand. Threat actors continued to exploit the Citrix Bleed vulnerability (CVE-2023-4966) affecting NetScaler ADC and NetScaler Gateway, SecurityWeek reported. TechCrunch said the vulnerability has been used in attacks against Boeing, the Industrial and Commercial Bank of China, DP World Logistics, and law firm Allen & Overy, all of which were hit by the LockBit ransomware. SecurityWeek notes that the flaw may have also been exploited in a MedusaLocker attack against Toyota Financial Services Europe & Africa last week.

Some three-hundred potentially vulnerable organizations notified.

In a media briefing on Tuesday, CISA Executive Assistant Director Eric Goldstein said the agency had notified nearly three hundred organizations that were potentially vulnerable to Citrix Bleed. Goldstein added that Boeing’s cooperation was “an extraordinary example” of private sector collaboration with government partners. Boeing provided CISA with extensive technical information about a LockBit incident that affected its subsidiary, Boeing Distribution Inc.