LockBit 3.0 Ransomware Exploit Targets Citrix NetScaler Appliances

In a recent joint Cybersecurity Advisory (CSA) issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing & Analysis Center (MS-ISAC), and the Australian Cyber Security Centre (ACSC), a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances, known as CVE-2023-4966, has been identified as a potential target for LockBit 3.0 ransomware attacks. This vulnerability, also known as Citrix Bleed, allows threat actors to bypass password requirements and multifactor authentication (MFA), enabling them to hijack legitimate user sessions and gain unauthorized access to sensitive data.

LockBit 3.0, an advanced ransomware, has been exploiting a critical vulnerability dubbed “Citrix Bleed” (CVE-2023-4966), affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. This vulnerability allows threat actors to bypass password requirements and multifactor authentication (MFA), facilitating unauthorized access to sensitive systems.

A notable victim of this campaign is Boeing Distribution Inc., a subsidiary of the aerospace giant, Boeing. They observed LockBit 3.0 affiliates exploiting CVE-2023-4966 to infiltrate their network, setting a precedent for the severity of this threat.

Citrix Bleed allows malicious actors to hijack legitimate user sessions on the compromised appliances. By doing so, they gain elevated permissions, which can be used to harvest credentials, access sensitive data, and move laterally within the network.

The exploitation process involves using crafted HTTP GET requests to extract system memory information from vulnerable appliances. This information often contains valid NetScaler AAA session cookies, which are then used to establish an authenticated session without the need for credentials or MFA tokens.

Citrix disclosed CVE-2023-4966 in October 2023, offering guidance and detailing affected products. In response to the widespread nature of this exploit, CISA added it to the Known Exploited Vulnerabilities (KEVs) Catalog. Affected software versions include several iterations of NetScaler ADC and NetScaler Gateway, with some versions reaching end-of-life status and thus no longer receiving updates.

The advisory strongly encourages network administrators to isolate affected appliances and apply software updates available through the Citrix Knowledge Center. Additionally, network defenders are advised to actively hunt for malicious activity using detection methods and IOCs provided in the CSA.

In instances where a potential compromise is detected, immediate application of the recommended incident response strategies is crucial. For networks yet to be compromised, prompt application of available patches is recommended to prevent exploitation.