The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), jointly issued a Cybersecurity Advisory (CSA). The purpose is to distribute information on Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), and detection strategies related to the exploitation of CVE-2023-4966, known as Citrix Bleed, by the LockBit 3.0 ransomware. This vulnerability affects Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
This advisory shares TTPs and IOCs sourced from the FBI, ACSC, and also provided voluntarily by Boeing. Boeing reported instances where LockBit 3.0 affiliates exploited CVE-2023-4966 to gain initial access to Boeing Distribution Inc. Other trusted entities have reported similar activities affecting their systems.
Historically, LockBit 3.0 affiliates have targeted organizations across various critical sectors, such as education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. The observed Tactics, Techniques, and Procedures (TTPs) in LockBit ransomware attacks have shown significant variation.
The Citrix Bleed vulnerability, used by LockBit 3.0 affiliates, enables threat actors to bypass password requirements and multifactor authentication (MFA), allowing them to hijack legitimate user sessions on Citrix NetScaler ADC and Gateway appliances. By taking over these sessions, malicious actors gain elevated privileges to gather credentials, move sideways within networks, and access data and resources.
CISA and collaborating organizations strongly advise network administrators to implement the mitigations outlined in this advisory. These include isolating NetScaler ADC and Gateway appliances and applying necessary software updates available through the Citrix Knowledge Center.
Furthermore, network defenders are encouraged to proactively search for malicious activities within their networks using the detection methods and IOCs provided in this advisory. Should a potential compromise be identified, organizations are urged to follow incident response recommendations. If no compromise is detected, immediate application of publicly available patches is recommended.
Source – https://www.cisa.gov/
