The LockBit ransomware group is mass-exploiting a critical vulnerability in Citrix NetScaler to hack into large organizations like Boeing, China’s largest bank ICBC, Emirati port operator DP World and the London-based international law firm Allen & Overy worldwide, cybersecurity researchers have warned.
According to cybersecurity firm Mandiant, the remote code execution vulnerability (CVE-2023-4966 aka CitrixBleed) in Citrix NetScaler ADC and NetScaler Gateway products has been exploited as a zero-day vulnerability since late August of this year. Citrix released security patches and later updated its advisory to warn that it had observed exploitation in the wild.
Cybersecurity researcher Kevin Beaumont has been tracking attacks against various organizations and was the first to notice that all hacked companies had unpatched Citrix instances.
“I wrote about how LockBit ransomware group have assembled a Strike Team and are using a Citrix vulnerability to extort the world’s largest companies,” Beaumont said in a post on X.
“An initial challenge has been maintaining access, as hijacking a session boots off the legitimate user, and the legitimate user boots off the attacker when they reconnect. To combat this, LockBit have been deploying remote access tools such as Atera — which does not trigger antivirus or EDR alerts — to allow remote, interactive PowerShell requests without any visible signs to the end user. This access also persists after patching CitrixBleed,” the researcher explained in a blog post.
Once access is obtained, the victims are passed to the execution team, which escalates privileges via a variety of techniques, terminates EDR controls, steals data and ultimately deploys ransomware.
Previously, Beaumont said that more than 5,000 organizations have yet to patch the bug but, according to new data from Japanese threat researcher Yutaka Sejiyama, currently, there are more than 10,000 Citrix servers that are vulnerable to CVE-2023-4966, most of which located in the US and Germany.