LockBit Ransomware Exploits Citrix Bleed in Attacks, 10K Servers Exposed

Cyber Security Threat Summary:
About a month ago, Citrix fixed a critical information disclosure flaw (CVE-2023-4966), “Citrix Bleed,” impacting Citrix NetScaler ADC and NetScaler Gateway. As of writing thousands of internet-exposed endpoints are still running vulnerable appliances despite patches being released. As such threat actors are using this opportunity to launch attacks. One of these actors is the LockBit Ransomware group, which researchers say is using publicly available exploits for CVE-2023-4966 to breach the systems of large organizations, steal data, and encrypt files.

Security Officer Comments:
According to threat researcher Kevin Beaumont who has been tracking attacks against various companies, including the Industrial and Commercial Bank of China, DP World, Allen & Overy, and Boeing, all of these companies are running unpatched Citrix NetScaler devices. The U.S. Treasury recently sent an email to the Wall Street Journal, confirming that LockBit was responsible for the attack against ICBC, which was achieved by exploiting the Citrix Bleed vulnerability. As such, it is likely that the other organizations were breached in a similar fashion.

Suggested Correction(s):
These attacks are reminiscent of the campaign launched earlier this year by Clop, where the ransomware gang exploited a zero-day in the MOVEit file transfer application to steal data from hundreds of organizations worldwide. With LockBit targeting victims in a similar fashion, this highlights the need for organizations to apply patches in a timely manner whenever updates are readily available.