LockBit Ransomware Exploits Critical Citrix Bleed Vulnerability for Entry

Nov 22, 2023NewsroomThreat / Vulnerability Analysis

LockBit Ransomware

Many threat actors, including those associated with LockBit ransomware, are actively exploiting recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to gain initial access to the target environment.

The joint advisory comes from the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Australian Signals Directorate’s Australian Cyber ​​Security Center (ASD’s ACSC ) .

“Citrix Bleed, known to be used by LockBit 3.0 affiliates, allows threat actors to bypass password and multifactor authentication (MFA) requirements, leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances,” the agencies SAYS.


“By capturing legitimate user sessions, malicious actors gain elevated permissions to harvest credentials, act later, and access data and resources.”

Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability was addressed by Citrix last month but not before it was weaponized as a zero-day, at least as of August 2023. It is codenamed Citrix Bleed.

Shortly after the public disclosure, Google-owned Mandiant revealed that it was tracking four different uncategorized (UNC) groups involved in exploiting CVE-2023-4966 to target multiple verticals of industry in the Americas, EMEA, and APJ.

The latest threat actor to join the exploitation bandwagon is LockBit, which has been observed exploiting a flaw in the execution of PowerShell scripts as well as dropping remote management and monitoring (RMM) tools such as AnyDesk and Splashtop for in follow-on activities.

The development once again highlights the fact that vulnerabilities in exposed services continue to be a primary entry vector for ransomware attacks.

The disclosure comes as Check Point released a comparative study of ransomware attacks targeting Windows and Linux, which found that the majority of Linux cracking families heavily use the OpenSSL library alongside the ChaCha20 / RSA and AES / RSA algorithms.


“Linux ransomware is clearly aimed at medium and large organizations compared to Windows threats, which are more general in nature,” security researcher Marc Salinas Fernandez SAYS.

Examination of various Linux-targeting ransomware families “reveals an interesting trend towards simplification, where their core functions are often reduced to basic encryption processes, thus leaving the rest of the work to scripts and legitimate system tools.”

Check Point says that the minimalist approach not only makes these ransomware families rely heavily on external configurations and scripts but also makes them easier to fly under radar.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment