How LockBit used Citrix Bleed to breach Boeing and other targets

CVE-2023-4966, aka “Citrix Bleed”, has been exploited by LockBit 3.0 affiliates to breach Boeing’s parts and distribution business, and “other trusted third parties have observed similar activity impacting their organization,” cybersecurity and law enforcement officials have confirmed on Tuesday.

In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and officials from the Australian Cyber Security Center (ACSC) have shared the tactics, techniques, and procedures and indicators of compromise (IoCs) shared by Boeing and gleaned from other investigations.

“Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks,” the agencies warned.

Breached by LockBit via Citrix Bleed

CVE-2023-4966 has been patched by Netscaler in early October 2023 and mass exploitation began by the end of the month. It has also been revealed that it had been exploited as a zero-day since August 2023.

Citrix Bleed is an extremely easy to exploit flaw that allows attackers to bypass password and multi-factor authentication requirements on vulnerable Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances by hijacking existing authenticated sessions.

As previously noted by security researcher Kevin Beaumont, LockBit attackers leverage this temporary access to set up permanent access by deploying remote access tools such as Altera, Anydesk, TeamViewer, Action1, and others.

Once persistence is established, the attackers find ways to acquire elevated permissions to harvest credentials, move laterally, and access data and resources, and deploy ransomware.

The advisory contains a slew of IoCs – IP addresses, domains, (PowerShell) scripts, tools, scheduled tasks, commands and filenames – that organizations can look for to discover whether they are among LockBit’s victims. It also offers guidance for threat hunters and advice for thorough incident response.

Plan for the future

We’ve known for a while that Citrix Bleed is being leveraged by a variety of threat actors, including ransomware gangs. LockBit is just the most prominent one since its affiliates often target high-profile targets.

Beaumont revealed that, along Boeing, law firm Allen & Overy, the Industrial and Commercial Bank of China (ICBC), and Australian shipping company DP World are among their victims (via Citrix Bleed).

“Know your network boundary and risky products as well as LockBit do,” he advised.

“You need to be able to identify and patch something like CitrixBleed within 24 hours — if you cannot, there is a very real possibility it isn’t the ideal product fit for your organisation due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose.”