The US Government’s cybersecurity and law enforcement agencies are warning about what the cybersecurity community has known for close to a month now - the LockBit hackers are leveraging the Citrix Bleed vulnerability to target organizations everywhere.
Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) released a joint cybersecurity advisory warning about LockBit’s abuse of Citrix Bleed.
Citrix Bleed is a high-severity vulnerability discovered in NetScaler ADC and NetScaler Gateway. It’s tracked as CVE-2023-4966 and carries a severity score of 9.4. In early November this year, cybersecurity researchers from Mandiant warned of hackers using Citrix Bleed to go after endpoints in government institutions and legal organizations globally. Mandiant said hackers were probably using it to hijack authentication sessions and steal corporate data since August 2023.
Active ransomware operation
Truth be told, CISA was already warning about Citrix Bleed earlier this year, but back then - there was no mention even of ransomware, let alone a specific RaaS such as LockBit.
“Historically, LockBit affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors—including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation,” CISA said in its advisory.
A patch has been available for roughly a month now, and all Citrix users are advised to apply it immediately because there are multiple threat actors out there hunting for unpatched and vulnerable instances and looking to deploy malware.
LockBit is one of the most popular Ransomware-as-a-Service (RaaS) operators out there. Their affiliates were responsible for successful breaches at SpaceX, Boeing, the government of Canada, Microsoft, and countless others. The developers also seem to be careful not to target healthcare firms and other organizations whose disruption could lead to the loss of life: when an affiliate group targeted a children’s hospital in January this year, LockBit apologized, released the decryptor for free, and stopped working with the affiliate group in question.
More from TechRadar Pro
- Governments around the world are being hacked thanks to Citrix flaws
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
