The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability to breach the systems of large organizations, steal data, and encrypt files. Although Citrix made fixes available for CVE-2023-4966 more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, many in the U.S. High-profile Lockbit attacks. Threat researcher Kevin Beaumont has been tracking attacks against various companies, including the Industrial and Commercial Bank of China, DP World, Allen & Overy, and Boeing, and found they had something in common. These are exposed Citrix servers [1, 2] vulnerable to the Citrix Bleed flaw, which he says the LockBit ransomware gang is exploiting attacks. This was further confirmed by the Wall Street Journal, which obtained an email from the U.S. Treasury sent to select financial service providers, mentioning that LockBit was responsible for the cyberattack on ICBC, which was achieved by exploiting the Citrix Bleed flaw. If LockBit used the vulnerability to breach one company, it is believed they likely breached Boeing and DP World similarly. These attacks are likely being conducted by a LockBit affiliate who is heavily utilizing this vulnerability to breach networks rather than the ransomware operation itself being behind the attack. As LockBit is the largest Ransomware-as-a-Service, it utilizes many affiliates who have complete discretion on how they breach networks. A GandCrab/REvil affiliate specialized in exploiting MSP software [1, 2, 3] to encrypt companies, and we are likely seeing a LockBit affiliate utilizing the Citrix Bleed flaw to mass-breach networks. At the time of writing, more than 10,400 Citrix servers are vulnerable to CVE-2023-4966, according to findings from Japanese threat researcher Yutaka Sejiyama shared with BleepingComputer. Sejiyama's scans have revealed vulnerable servers in large and critical organizations in the above and many other countries, all of which remain unpatched over a full month following the public disclosure of the critical flaw. Citrix Bleed was disclosed on October 10 as a critical security issue that affects Citrix NetScaler ADC and Gateway, enabling access to sensitive device information. Mandiant reported that threat actors started exploiting Citrix Bleed in late August, when the security flaw was still a zero day. In the attacks, hackers used HTTP GET requests to obtain Netscaler AAA session cookies after the multi-factor authentication stage. Citrix urged admins to protect systems from this low-complexity, no-interaction attacks. On October 25, external attack surface management company AssetNote released a proof-of-concept exploit demonstrating how session tokens can be stolen. Hackers use Citrix Bleed flaw in attacks on govt networks worldwide. Recently patched Citrix NetScaler bug exploited as zero-day since August. Kyocera AVX says ransomware attack impacted 39,000 individuals. Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000