The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI cautioned today that the LockBit ransomware gang is exploiting the Citrix Bleed security flaw in exploits against critical infrastructure sectors, according to a joint cybersecurity advisory (CSA) issued with the Multi-State Information Sharing and Analysis Center and the Australian Cyber Security Center.
The vulnerability affects Citrix’s NetScaler web application delivery control and NetScaler Gateway appliances.
Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors – including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation, the advisory warns.
“The joint CSA provides tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs),” the agencies wrote. “If compromise is detected, the authoring organizations encourage network defenders [to] hunt for malicious activity on their networks using the detection methods and IOCs provided within the CSA and apply the incident response recommendations. Additionally, immediate application of publicly available patches is also recommended.”
The advisory notes that the TTPs and IOCs were voluntarily shared by Boeing. According to the agencies, Boeing observed LockBit 3.0 affiliates exploiting Citrix Bleed to obtain initial access to Boeing Distribution Inc.
CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein said on a call with reporters today that Boeing warning the government about the vulnerability was an “extraordinary example” of the “criticality of public-private partnerships and operational collaboration.”
“Our partners at Boeing had a subsidiary that was very unfortunately affected by the type of activity referenced in this advisory, but Boeing in this case did the right thing,” Goldstein said. “They reached out to their government partners, and they provided robust technical information about their subsidiary’s incident that then allowed us to more effectively provide guidance to protect thousands of other organizations around the world.”
Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication, leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control and Gateway appliances, the joint advisory says. Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.
A senior CISA official said on the call today that the agency has seen exposure from the vulnerability “over the past several weeks across a wide variety of sectors given the prevalence of these impacted devices.”
CISA and the FBI warned of the threat posed by LockBit ransomware earlier this summer, noting that LockBit is the “most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023,” and said it has been used to attack “organizations of various sizes across a wide array of critical infrastructure sectors.”
“[LockBit] first appeared around January 2020, and the actors have executed over 1,400 attacks against victims in the United States and around the world issuing over $100 million in ransom demand and receiving at least as much as tens of millions of dollars in actual ransom payments made in the form of Bitcoin,” a senior FBI official told reporters today. “And these actors are consistently looking for new ways to get into different systems.”
The senior FBI official said that the bureau’s investigation into the ransomware gang is ongoing, but they have “taken some actions to date and we continue to pursue enforcement opportunities when and where we’re able to take those.”
“As part of our overall whole-of-government strategy we will use every tool at our disposal from arrest to infrastructure takedown and seizures to increase the cost for ransomware actors to engage in this criminal activity,” the FBI official added.