Security News > 2023 > November > How LockBit used Citrix Bleed to breach Boeing and other targets
CVE-2023-4966, aka "Citrix Bleed", has been exploited by LockBit 3.0 affiliates to breach Boeing's parts and distribution business, and "Other trusted third parties have observed similar activity impacting their organization," cybersecurity and law enforcement officials have confirmed on Tuesday.
"Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks," the agencies warned.
Citrix Bleed is an extremely easy to exploit flaw that allows attackers to bypass password and multi-factor authentication requirements on vulnerable Citrix's NetScaler web application delivery control and NetScaler Gateway appliances by hijacking existing authenticated sessions.
As previously noted by security researcher Kevin Beaumont, LockBit attackers leverage this temporary access to set up permanent access by deploying remote access tools such as Altera, Anydesk, TeamViewer, Action1, and others.
We've known for a while that Citrix Bleed is being leveraged by a variety of threat actors, including ransomware gangs.
LockBit is just the most prominent one since its affiliates often target high-profile targets.
News URL
https://www.helpnetsecurity.com/2023/11/22/lockbit-citrix-bleed/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-10 | CVE-2023-4966 | Unspecified vulnerability in Citrix products Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server. | 7.5 |