‘Citrix Bleed’ vulnerability targeted by nation-state and criminal hackers: CISA

Both nation-state hackers and cybercriminal gangs are exploiting a vulnerability affecting Citrix products, federal cyber officials warned on Tuesday.

The ‘Citrix Bleed’ bug has caused alarm for weeks as cybersecurity experts warned that many government agencies and major companies were leaving their appliances exposed to the internet — opening themselves up to attacks.

The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and cybersecurity officials in Australia, published an advisory on Tuesday about the LockBit ransomware gang’s exploitation of CVE-2023-4966, which impacts NetScaler ADC and NetScaler Gateway appliances. The products are used by companies to manage network traffic.

On a press call on Tuesday, CISA Executive Assistant Director for Cybersecurity Eric Goldstein confirmed that both nation-state hackers and cybercriminal groups like LockBit are exploiting the bug.

Goldstein acknowledged that while thousands of organizations are still vulnerable, more than 300 entities have been warned about their exposure to the issue through CISA’s Ransomware Vulnerability Warning Program.

One of the major companies that has been targeted is Boeing, whose parts and distribution business was attacked by LockBit through the vulnerability earlier this month.

In Tuesday’s advisory, CISA and the FBI said Boeing voluntarily shared information from their attack, confirming that hackers using the latest LockBit 3.0 ransomware exploited CVE-2023-4966 to obtain initial access to Boeing Distribution Inc.

The advisory confirms that other organizations “have observed similar activity impacting their organization.”

“Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances,” the agencies said.

“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”

The agencies urged all organizations to isolate NetScaler ADC and Gateway appliances while also applying any necessary software updates as soon as possible.

Attacks involving Citrix Bleed began in August, according to the advisory and previous reports from Google security firm Mandiant.

Despite a security bulletin from Citrix in October rating the bug a 9.4 out of 10 on the CVSS severity scale, research tool ShadowServer shows that thousands of instances where the tool is used were still vulnerable to the issue as of November 2, with nearly 2,000 in North America alone. CISA ordered all federal civilian agencies to patch the bug on October 18 and gave a deadline of November 8.

Earlier this month, cybersecurity expert Kevin Beaumont said at least two ransomware gangs are now attempting to exploit the vulnerability in attacks, while Mandiant found four different groups attempting exploitation.

“People are going wild with it — it’s point and click simple access to Remote Desktop inside orgs firewalls without generating any alerts or logs,” Beaumont wrote.

CISA backed up that assessment on Tuesday, warning that the ease of exploitation meant they “expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks.”

Once inside, LockBit actors were seen using AnyDesk and Splashtop remote management and monitoring tools to gain further access.

On high alert

The advisory is largely a play-by-play of what Boeing dealt with when investigating the attack on its systems.

The hackers attempted to obtain information about the operating system and hardware, including versions and patches.

“Organizations are encouraged to assess Citrix software and your systems for evidence of compromise, and to hunt for malicious activity,” they said.

“If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious code.”

The agencies urged affected organizations to quarantine or take offline potentially affected hosts before contacting a local FBI field office for assistance.

During the press call, a senior FBI official addressed growing concerns about the lack of U.S. government action in response to LockBit’s continued run of attacks.

“We've taken some actions to date specifically against LockBit and continue to pursue enforcement opportunities when and where we can take them,” they said.

“And as part of our overall whole of government strategy, we will use every tool at our disposal — from arrest to infrastructure takedowns and seizures — to increase the cost for ransomware actors to engage in this criminal activity.”

One recent LockBit victim, the Industrial and Commercial Bank of China (ICBC) — the country’s largest bank — may have been breached through the Citrix vulnerability. Cybersecurity expert Beaumont previously shared a Shodan search showing the bank had a Citrix Netscaler box that was unpatched for CVE-2023-4966.

The attack caused widespread alarm, and U.S. Treasury Secretary Janet Yellen was forced to reassure the public that the incident did not affect the Treasury market.

CISA took other measures to notify the public of dangerous vulnerabilities on Tuesday, adding another vulnerability — CVE-2023-4911 — to its known exploited vulnerabilities catalog, giving federal civilian agencies until December 12 to patch.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.