LockBit Ransomware Leverages Citrix Bleed Vulnerability for Intrusion

Amidst a flurry of threat actors exploiting the critical Citrix NetScaler ADC and Gateway flaw, LockBit ransomware affiliates have aggressively capitalized on the recently exposed Citrix Bleed vulnerability. This loophole allows bypassing password requirements and multifactor authentication (MFA), enabling the hijacking of authentic user sessions, as highlighted by a collaborative warning from major cybersecurity entities.

A coalition involving the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Australian Cyber Security Center (ACSC) of the Australian Signals Directorate (ASD) issued an advisory emphasizing the severe implications of this exploit by LockBit 3.0 affiliates. By compromising legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances, malicious actors gain elevated access privileges to gather credentials, move laterally, and infiltrate sensitive data repositories.

Designated as CVE-2023-4966 with a critical CVSS score of 9.4, Citrix Bleed was recently patched, yet it was already weaponized as a zero-day exploit since at least August 2023. The severity of this vulnerability is further emphasized by Google-owned Mandiant’s revelation of four distinct uncategorized (UNC) groups leveraging CVE-2023-4966 to target industries across the Americas, EMEA, and APJ regions.

LockBit’s entry into this exploitation sphere involves utilizing the flaw to execute PowerShell scripts and deploy remote management and monitoring (RMM) tools such as AnyDesk and Splashtop, facilitating subsequent malicious activities.

This incident reiterates the prevalent truth that vulnerabilities in exposed services serve as primary gateways for ransomware attacks. Additionally, Check Point’s analysis of ransomware activities targeting Linux unveils a trend toward simplicity, wherein Linux-targeting ransomware primarily relies on the OpenSSL library, ChaCha20/RSA, and AES/RSA algorithms.

Security researcher Marc Salinas Fernandez underlines the focus of Linux ransomware on medium to large organizations, contrasting with the more generic nature of Windows threats. These Linux-targeting ransomware families streamline their core functionalities to basic encryption processes, relying on external configurations and scripts to stay under the detection radar.

As cyber threats evolve and adapt, it’s evident that cybersecurity strategies must constantly evolve to thwart these sophisticated incursions into sensitive systems and networks.

Mitigate the risk of LockBit ransomware by promptly applying security patches to Citrix NetScaler ADC and Gateway appliances. Implement network segmentation and multifactor authentication (MFA) to restrict unauthorized access. Regularly monitor system logs and traffic for suspicious activities, employing threat intelligence feeds to detect and respond swiftly to potential threats.