Critical Citrix Bleed vulnerability is being used by hackers to target multiple businesses

Image Credit: Shutterstock (Image credit: Shutterstock)

The US Government’s cybersecurity and law enforcement agencies are warning about what the cybersecurity community has known for close to a month now - the LockBit hackers are leveraging the Citrix Bleed vulnerability to target organizations everywhere.

Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) released a joint cybersecurity advisory warning about LockBit’s abuse of Citrix Bleed. 

Citrix Bleed is a high-severity vulnerability discovered in NetScaler ADC and NetScaler Gateway. It’s tracked as CVE-2023-4966 and carries a severity score of 9.4. In early November this year, cybersecurity researchers from Mandiant warned of hackers using Citrix Bleed to go after endpoints in government institutions and legal organizations globally. Mandiant said hackers were probably using it to hijack authentication sessions and steal corporate data since August 2023.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Active ransomware operation

Truth be told, CISA was already warning about Citrix Bleed earlier this year, but back then - there was no mention even of ransomware, let alone a specific RaaS such as LockBit.

“Historically, LockBit affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors—including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation,” CISA said in its advisory.

A patch has been available for roughly a month now, and all Citrix users are advised to apply it immediately because there are multiple threat actors out there hunting for unpatched and vulnerable instances and looking to deploy malware

LockBit is one of the most popular Ransomware-as-a-Service (RaaS) operators out there. Their affiliates were responsible for successful breaches at SpaceX, Boeing, the government of Canada, Microsoft, and countless others. The developers also seem to be careful not to target healthcare firms and other organizations whose disruption could lead to the loss of life: when an affiliate group targeted a children’s hospital in January this year, LockBit apologized, released the decryptor for free, and stopped working with the affiliate group in question.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.