Joint Cybersecurity Advisory on LockBit Exploitation of Citrix’s NetScaler.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) have jointly issued a Cybersecurity Advisory (CSA) on the exploitation of a vulnerability in Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances by LockBit ransomware affiliates.

Last week, the vulnerability, known as Citrix Bleed, was spotted being exploited in Australia. Since the last detection, it has been historically targeted by LockBit affiliates and seen to impact multiple critical infrastructure sectors.

The vulnerability, identified with the record CVE-2023-4966, enables threat actors to bypass password requirements and multifactor authentication, leading to successful session hijacking.

In addition, four different uncategorized groups have now been observed exploiting the vulnerability to target various industries, by exploiting Linux systems, via external configurations and scripts.


                                         Four different uncategorized groups are seen exploiting these vulnerabilities. Image-source: Fixitgearware


The LockBit ransomware affiliates:

LockBit ransomware affiliates leverage the Citrix NetScaler and Gateway appliances vulnerability to bypass password requirements and multifactor authentication (MFA), allowing them to successfully hijack legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. In addition, the LockBit ransomware affiliates are able to acquire elevated permissions, harvest credentials, move laterally, and access sensitive information and resources.

The ability of the LockBit ransomware affiliates to carry out this level of attack is due to the fact that the vulnerability was weaponized as a zero-day before Citrix released a patch. Certainly, implying that the malicious actors were able to exploit the vulnerability before a fix was available, giving them a time advantage and potentially allowing them to gain access to sensitive information or systems.

Such incident, highlights the importance of timely patching and vulnerability management to prevent such exploitation.

The joint Cybersecurity Advisory (CSA) released by these agencies provides detailed information about the MITRE ATT&CK Tactics and Techniques, Detection Method, indicators of compromise (IOCs), and incident response recommendations regarding the exploitation of CVE-2023-4966 by LockBit ransomware affiliates.

For information on stopping ransomware attacks, please refer to the updated Guide on CISA StopRansomware. Remember to always stay safe, and be vigilant 🛡️!




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments