November 14, 2023 at 03:05PM
LockBit ransomware attacks are exploiting the Citrix Bleed vulnerability (CVE-2023-4966) to breach large organizations’ systems, steal data, and encrypt files. Despite Citrix releasing fixes for the vulnerability over a month ago, thousands of vulnerable appliances are still running, many in the U.S. LockBit affiliates are likely responsible for the attacks, utilizing the vulnerability to breach networks. Over 10,400 vulnerable Citrix servers have been identified, with a majority in the U.S. The vulnerability allows hackers to obtain sensitive device information after the multi-factor authentication stage. Citrix has urged administrators to protect systems from these attacks.
Key takeaways from the meeting notes:
– The Lockbit ransomware attacks are using publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files.
– Despite Citrix making fixes available for the vulnerability over a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, with many in the U.S.
– Lockbit attacks have been observed targeting high-profile companies, including the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. These attacks are exploiting the Citrix Bleed flaw in exposed Citrix servers.
– The Wall Street Journal has confirmed that Lockbit was responsible for the cyberattack on ICBC, achieved by exploiting the Citrix Bleed flaw. It is believed that Lockbit likely breached Boeing and DP World in a similar manner.
– The attacks are likely being conducted by a Lockbit affiliate who is heavily utilizing the Citrix Bleed vulnerability to breach networks, rather than the main ransomware operation itself.
– There are currently over 10,400 Citrix servers vulnerable to CVE-2023-4966, with the majority located in the U.S., followed by Germany and China.
– The Citrix Bleed vulnerability was disclosed on October 10 and affects Citrix NetScaler ADC and Gateway, allowing access to sensitive device information.
– Threat actors started exploiting the vulnerability in late August, even before it was publicly disclosed. The attacks involve obtaining Netscaler AAA session cookies after the multi-factor authentication stage.
– Citrix has urged administrators to protect systems from these attacks, and a proof-of-concept exploit demonstrating session token theft has been released.