A recently discovered serious security vulnerability in Citrix NetScaler application delivery control (ADC) and Gateway appliances is being aggressively used by a number of threat actors, including affiliates of the LockBit ransomware, in order to gain early access to target environments.

The Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have all contributed to the joint advice.

“Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances,” the agencies stated.

“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”

The weakness, which is tracked as CVE-2023-4966 (CVSS score: 9.4), was fixed by Citrix last month, but not before it was used as a zero-day weapon, at least from August 2023. Citrix Bleed is the codename for it.

Mandiant, a company owned by Google, disclosed shortly after the public revelation that it is monitoring four distinct uncategorized (UNC) groups that are using CVE-2023-4966 to target various industrial verticals in the Americas, EMEA, and APJ.

LockBit is the most recent threat actor to get on the exploitation bandwagon. It has been seen using the vulnerability to drop remote management and monitoring (RMM) applications like AnyDesk and Splashtop for follow-up operations and run PowerShell scripts.

The finding serves as more evidence that ransomware attacks continue to primarily target weaknesses in exposed services.

The revelation coincides with the publication by Check Point of a comparative analysis of ransomware attacks directed against Windows and Linux, which found that most families that compromise Linux systems extensively make use of the OpenSSL library in conjunction with the ChaCha20/RSA and AES/RSA algorithms.
Security expert Marc Salinas Fernandez stated that whereas Windows attacks are significantly more widespread, “Linux ransomware is clearly aimed at medium and large organizations.”

A study that looked at several families of ransomware that targeted Linux “reveals an interesting trend towards simplification, where their core functionalities are often reduced to just basic encryption processes, thereby leaving the rest of the work to scripts and legitimate system tools.”

According to Check Point, the minimalist strategy makes these ransomware families more easily detectable and more dependent on external parameters and scripts.