Security News > 2023 > November > How LockBit used Citrix Bleed to breach Boeing and other targets

How LockBit used Citrix Bleed to breach Boeing and other targets
2023-11-22 13:40

CVE-2023-4966, aka "Citrix Bleed", has been exploited by LockBit 3.0 affiliates to breach Boeing's parts and distribution business, and "Other trusted third parties have observed similar activity impacting their organization," cybersecurity and law enforcement officials have confirmed on Tuesday.

"Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks," the agencies warned.

Citrix Bleed is an extremely easy to exploit flaw that allows attackers to bypass password and multi-factor authentication requirements on vulnerable Citrix's NetScaler web application delivery control and NetScaler Gateway appliances by hijacking existing authenticated sessions.

As previously noted by security researcher Kevin Beaumont, LockBit attackers leverage this temporary access to set up permanent access by deploying remote access tools such as Altera, Anydesk, TeamViewer, Action1, and others.

We've known for a while that Citrix Bleed is being leveraged by a variety of threat actors, including ransomware gangs.

LockBit is just the most prominent one since its affiliates often target high-profile targets.


News URL

https://www.helpnetsecurity.com/2023/11/22/lockbit-citrix-bleed/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-10-10 CVE-2023-4966 Unspecified vulnerability in Citrix products
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server. 
network
low complexity
citrix
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Citrix 66 2 64 101 46 213