November 21, 2023 at 05:39PM
LockBit 3.0 ransomware affiliates are targeting the “Citrix Bleed” security vulnerability, prompting warnings from CISA and Citrix. The bug allows authentication bypass, giving threat actors access to user sessions and credentials. Citrix’s patch is not sufficient to protect against compromise. Organizations are advised to upgrade immediately and assess vulnerability. Thousands of organizations are still exposed to the threat.
Key Takeaways from Meeting Notes:
1. Ransomware affiliates for the LockBit 3.0 gang are increasing their attacks on the “Citrix Bleed” security vulnerability.
2. CISA and Citrix are issuing warnings to take affected appliances offline if immediate remediation is not possible.
3. The vulnerability (CVE 2023-4966, CVSS 9.4) is found in the NetScaler Web application delivery control (ADC) and NetScaler Gateway appliances.
4. LockBit 3.0 users have targeted a range of organizations, including Boeing, DP World, and ICBC.
5. The vulnerability allows threat actors to bypass password requirements and multifactor authentication, leading to session hijacking and unauthorized access to data.
6. Kevin Beaumont, a security researcher, suggests that teenagers may be involved in the LockBit 3.0 gang’s attacks.
7. Patching alone is not enough to protect affected instances, as compromised sessions remain vulnerable.
8. Organizations should upgrade affected builds, remove active or persistent sessions, and assess their ability to find all applications and reset them.
9. Isolating vulnerable appliances is recommended if immediate patching is not possible.
10. Citrix’s product is widely used, making it an attractive target for threat actors.
11. These warnings come at a time when many security teams may be understaffed due to the Thanksgiving holiday.
12. An analysis shows that thousands of organizations are still exposed to the vulnerability.