LockBit ransomware gang is exploiting CitrixBleed bug for mass attacks worldwide

LockBit ransomware gang is exploiting CitrixBleed bug for mass attacks worldwide

The LockBit ransomware group is mass-exploiting a critical vulnerability in Citrix NetScaler to hack into large organizations like Boeing, China’s largest bank ICBC, Emirati port operator DP World and the London-based international law firm Allen & Overy worldwide, cybersecurity researchers have warned.

According to cybersecurity firm Mandiant, the remote code execution vulnerability (CVE-2023-4966 aka CitrixBleed) in Citrix NetScaler ADC and NetScaler Gateway products has been exploited as a zero-day vulnerability since late August of this year. Citrix released security patches and later updated its advisory to warn that it had observed exploitation in the wild.

Cybersecurity researcher Kevin Beaumont has been tracking attacks against various organizations and was the first to notice that all hacked companies had unpatched Citrix instances.

“I wrote about how LockBit ransomware group have assembled a Strike Team and are using a Citrix vulnerability to extort the world’s largest companies,” Beaumont said in a post on X.

“An initial challenge has been maintaining access, as hijacking a session boots off the legitimate user, and the legitimate user boots off the attacker when they reconnect. To combat this, LockBit have been deploying remote access tools such as Atera — which does not trigger antivirus or EDR alerts — to allow remote, interactive PowerShell requests without any visible signs to the end user. This access also persists after patching CitrixBleed,” the researcher explained in a blog post.

Once access is obtained, the victims are passed to the execution team, which escalates privileges via a variety of techniques, terminates EDR controls, steals data and ultimately deploys ransomware.

Previously, Beaumont said that more than 5,000 organizations have yet to patch the bug but, according to new data from Japanese threat researcher Yutaka Sejiyama, currently, there are more than 10,000 Citrix servers that are vulnerable to CVE-2023-4966, most of which located in the US and Germany.


Back to the list

Latest Posts

Cyber Security Week in Review: April 25, 2025

Cyber Security Week in Review: April 25, 2025

In brief: A SAP NetWeaver zero-day bug exploited in the wild, DslogdRAT exploits a recent Ivanti flaw, and more.
25 April 2025
ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker is believed to be behind the custom backdoor dubbed ‘LAGTOY.’
24 April 2025
DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce introduced a distributed affiliate branding model.
23 April 2025