Several government agencies and cybersecurity organizations have raised the alarm in response to multiple threat actor groups exploiting Citrix Bleed, a vulnerability affecting Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
As part of the #StopRansomware coalition, an advisory was issued on November 21 warning organizations about ongoing exploitation of the vulnerability by affiliates of the LockBit 3.0 ransomware group.
The coalition includes the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Multi-State Information Sharing & Analysis Center (MS-ISAC), and the Australian Cyber Security Center (ACSC).
The joint advisory describes the vulnerability, tactics, techniques, and procedures (TTPs) used by the threat actors and indicators of compromise (IOCs) that organizations susceptible to have been targeted should be investigating.
The #StopRansomware coalition also shared a technical report gathering results from an initial analysis of Citrix Bleed conducted by CISA.
“If compromise is detected, the authoring organizations encourage network defenders hunt for malicious activity on their networks using the detection methods and IOCs provided within the CSA and apply the incident response recommendations. Additionally, immediate application of publicly available patches is also recommended,” said the joint advisory.
What is Citrix Bleed?
Citrix Bleed, or CitrixBleed (CVE-2023-4966), is a critical software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023. This vulnerability allows threat actors to bypass multifactor authentication (MFA) and hijack legitimate user sessions.
Citrix publicly disclosed the vulnerability on October 10, 2023, within the Citrix Security Bulletin, which issued guidance and detailed the affected products, IOCs, and recommendations.
Based on widely available public exploits and evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEVs) Catalog. This critical vulnerability exploit impacts the following software versions:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC and NetScaler Gateway version 12.1 (EOL)
- NetScaler ADC 13.1FIPS before 13.1-37.163
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
How Are LockBit Affiliates Using Citrix Bleed?
LockBit 3.0 affiliates have recently started exploiting Citrix Bleed to target large organizations, including Boeing, the Industrial and Commercial Bank of China (ICBC), Allen & Overy and DP World .
Security researcher Kevin Beaumont said the attacks have been “done in a co-ordinated fashion amongst multiple LockBit operators — a strike team to break into organizations using CitrixBleed and then hold them to ransom.”
While gaining access was “incredibly easy” – at least before the patch is installed – the real challenge for the threat actors has been maintaining access, “as hijacking a session boots off the legitimate user, and the legitimate user boots off the attacker when they reconnect,” explained Beaumont.
After acquiring access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens. Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information. The information obtained through this exploit contains a valid NetScaler AAA session cookie.
According to CISA director Jen Easterly, Boeing has provided vital information that helped to put together the published #StopRansomware joint advisory.
Beaumont commented on X: “Kudos to Boeing for stepping out here […]. Please patch CitrixBleed. A large number of US organizations still haven’t patched, including some retailers going into Black Friday.”
Read more: Hundreds of Citrix Endpoints Compromised With Webshells