The US Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI and the Australian Cyber Security Centre (ACSC), have revealed in-depth details of how the LockBit ransomware gang was able to exploit the so-called Citrix Bleed vulnerability – tracked as CVE-2023-4966 – to obtain initial access to the systems of aviation giant Boeing’s parts and distribution unit.
The information was voluntarily shared by Boeing and has been published in a joint advisory to help raise awareness of the scope and impact of Citrix Bleed, which affects Citrix NetScaler web application delivery control and NetScaler Gateway appliances and, according to CISA, has been exploited by nation state actors as well as LockBit.
“Citrix Bleed allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances,” said CISA in its report.
“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources. Due to the ease of exploitation, CISA and the authoring organisations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks."
At a virtual press conference attended by Computer Weekly’s sister title TechTarget Security, CISA executive assistant director Eric Goldstein praised Boeing for its candour and told reporters that the information it had shared enabled the agencies to put together far more effective guidance.
CISA has also been able to take steps to help other victims based on this information. Goldstein said: “We have notified nearly 300 organisations that appear to be running vulnerable instances of the affected devices so that they can mitigate their vulnerabilities before harm occurs.”
The attack on Boeing saw LockBit’s affiliate leverage Citrix Bleed to acquire access to valid NetScaler session cookies and establish an authentication session within the NetScaler appliance without needing a username, password, or MFA token.
This was done by sending an HTTP GET request with a specially-crafted HTTP Hoster header, which caused a vulnerable NetScaler appliance to return system memory information, including the necessary cookie.
Subsequent to this, LockBit executed a PowerShell script and dropped a number of remote management and monitoring tools including AnyDesk and Splashtop in order to manage their follow-on activities.
After naming and shaming Boeing on its public leak site, LockBit has subsequently leaked approximately 40GB of data purloined from the organisation’s systems. Boeing has made it clear that the incident has at no point affected flight safety.
CISA, the FBI and the ACSC are encouraging network administrators to apply the mitigations contained in their report, in particular isolating any NetScaler appliances, and hunting for malicious activity on their networks using the outlined detection methods and indicators of compromise, all of which are contained in the report.
This is in addition to applying the necessary patches from Citrix, which have now been available for over a month.
Citrix Bleed timeline
10 October 2023: Citrix disclosed CVE-2023-4966, now known as Citrix Bleed, alongside a second vulnerability.
17-18 October: Reporting on significant exploitation of CVE-2023-4966 dating to August, Mandiant CTO Charles Carmakal warns that patching alone will not be enough to safeguard against attacks leveraging MFA bypass techniques.
25-26 October: The release of a public proof of concept exploit for Citrix Bleed prompts renewed warnings as security researchers begin to see widespread exploitation of the vulnerability in the wild.
10 November: A LockBit ransomware attack against Chinese bank ICBC prompts speculation that the ransomware gang is going all-in on Citrix Bleed, after an independent researcher uncovers evidence that the organisation may have been running a vulnerable appliance.
15 November: The US Treasury reveals that the attack on ICBC did appear to begin via Citrix Bleed. Meanwhile, the US Financial Services Information Sharing and Analysis Center, as well as other cyber researchers, firm up more links between LockBit and Citrix Bleed.