Numerous threat actors, including affiliates associated with LockBit ransomware, are actively capitalizing on a recently exposed critical security vulnerability within Citrix NetScaler application delivery control (ADC) and Gateway appliances. The collective guidance, jointly released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), along with the Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), underscores the gravity of the situation.
Referred to as “Citrix Bleed” and exploited by LockBit 3.0 affiliates, this vulnerability enables threat actors to circumvent password requirements and multifactor authentication (MFA). This, in turn, facilitates the successful hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. The consequence of this exploit is the acquisition of elevated permissions by malicious actors, enabling them to harvest credentials, move laterally within networks, and access critical data and resources.
Identified as CVE-2023-4966 with a CVSS score of 9.4, Citrix addressed this vulnerability last month. However, it was weaponized as a zero-day exploit at least since August 2023 and has been assigned the codename Citrix Bleed.
In the aftermath of the public disclosure, Mandiant, a subsidiary of Google, reported tracking four different uncategorized (UNC) groups actively exploiting CVE-2023-4966. These groups are targeting various industry verticals in the Americas, EMEA, and APJ regions.
The latest entrant to the exploitation landscape is LockBit, which has been observed leveraging the vulnerability to execute PowerShell scripts. Additionally, LockBit employs the flaw to deploy remote management and monitoring (RMM) tools such as AnyDesk and Splashtop for subsequent malicious activities.
This development underscores the persistent threat posed by vulnerabilities in exposed services, which continue to serve as primary entry vectors for ransomware attacks.
Coinciding with this disclosure, Check Point released a comparative study of ransomware attacks targeting Windows and Linux. The study highlighted that Linux-targeting ransomware, in contrast to its Windows counterparts, tends to focus on medium and large organizations. Notably, these Linux threats heavily utilize the OpenSSL library, along with ChaCha20/RSA and AES/RSA algorithms.
Security researcher Marc Salinas Fernandez emphasized the clear targeting of medium and large organizations by Linux ransomware, in contrast to the more general nature of Windows threats. The study revealed a trend towards simplification in Linux-targeting ransomware families, with core functionalities often reduced to basic encryption processes. This minimalist approach makes these ransomware families highly reliant on external configurations and scripts, rendering them more adept at flying under the radar during cyber activities.
CyberSec84 | Cybersecurity news. 
Leave a comment