Nov 22, 2023NewsroomThreat Analysis / Vulnerability

Multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments.

The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC).

“Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances,” the agencies said.


“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”

Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability was addressed by Citrix last month but not before it was weaponized as a zero-day at least since August 2023. It has been codenamed Citrix Bleed.

Shortly after the public disclosure, Google-owned Mandiant revealed it’s tracking four different uncategorized (UNC) groups involved in exploiting CVE-2023-4966 to target several industry verticals in the Americas, EMEA, and APJ.

The latest threat actor to join the exploitation bandwagon is LockBit, which has been observed taking advantage of the flaw to execute PowerShell scripts as well as drop remote management and monitoring (RMM) tools like AnyDesk and Splashtop for follow-on activities.

The development once again underscores the fact that vulnerabilities in exposed services continue to be a primary entry vector for ransomware attacks.

The disclosure comes as Check Point released a comparative study of ransomware attacks targeting Windows and Linux, noting that a majority of the families that break into Linux heavily utilize the OpenSSL library along with ChaCha20/RSA and AES/RSA algorithms.


“Linux ransomware is clearly aimed at medium and large organizations compared to Windows threats, which are much more general in nature,” security researcher Marc Salinas Fernandez said.

The examination of various Linux-targeting ransomware families “reveals an interesting trend towards simplification, where their core functionalities are often reduced to just basic encryption processes, thereby leaving the rest of the work to scripts and legitimate system tools.”

Check Point said the minimalist approach not only renders these ransomware families heavily reliant on external configurations and scripts but also makes them more easier to fly under the radar.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.