CitrixBleed worries mount as nation state, criminal groups launch exploits

Dive Brief:

Criminal threat groups and nation-state actors are exploiting a critical vulnerability in Citrix Netscaler ADC and Netscaler Gateway to launch attacks, the Cybersecurity and Infrastructure Security Agency and FBI warned on Tuesday.
Affiliates of LockBit 3.0 exploited the vulnerability — dubbed CitrixBleed by researchers — to gain access into Boeing’s parts and distribution unit and exfiltrate data, as part of a suspected ransomware attack, according to federal authorities.
CISA, through its ransomware vulnerability warning program, has notified almost 300 organizations they were running vulnerable instances of the devices and needed to take mitigation measures before they were attacked, Eric Goldstein, executive assistant director of cybersecurity at CISA, said during a conference call with reporters.

Dive Insight:

The Boeing attack marks the latest in a wave of exploitation activity since the vulnerability emerged over the summer. Citrix released a patch for the vulnerability, listed as CVE-2023-4966, in early October, but claims it had not been aware of any prior exploitation.

Researchers at Mandiant said they’ve observed exploitation since August. Last month Mandiant warned Citrix customers to delete prior sessions because threat groups could still access systems that were exploited prior to the release of the patch.

The recent wave of ransomware attacks linked to CitrixBleed have been opportunistic in nature, according to Charles Carmakal, CTO at Mandiant Consulting, a Google Cloud unit.

“Basically anybody that has a vulnerable server will likely get hit with exploitation that will give the threat actor session IDs that can be reused later in attacks,” Carmakal said via email. “But the financially-motivated actors are likely focusing their multifaceted extortion operations on the biggest organizations first, or victims they perceive may pay an extortion demand."

Federal authorities said CitrixBleed allows hackers to bypass required passwords and multifactor authentication, allowing them to hijack legitimate user sessions. Federal authorities also released a detailed analysis of exploitation techniques used in the attacks.

There is evidence that threat groups are attempting to “leverage CitrixBleed against small- and medium-sized businesses and local government organizations,” said Randy Rose, VP of security operations and intelligence at MS-ISAC.

Many of these organizations lack the resources to fully implement patches in a timely manner as compared to large companies and government entities.

Citrix urged Netscaler customers to upgrade to the most recent builds and take recommended mitigation steps, including review of security logs, in a blog post released Monday.

Security researcher Kevin Beaumont linked CitrixBleed to several major attacks in recent weeks and warns that some retailers remain unprotected ahead of Black Friday.

CISA and the FBI issued the advisory along with the Multi-State Information Sharing and Analysis Center and the Australian Signals Directorate’s Australian Cyber Security Centre.