Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Critical Citrix Bleed vulnerability is being used by hackers to target multiple businesses

Ransomware.

The US Government’s cybersecurity and law enforcement agencies are warning about what the cybersecurity community has known for close to a month now - the LockBit hackers are leveraging the Citrix Bleed vulnerability to target organizations everywhere.

Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) released a joint cybersecurity advisory warning about LockBit’s abuse of Citrix Bleed. 

Citrix Bleed is a high-severity vulnerability discovered in NetScaler ADC and NetScaler Gateway. It’s tracked as CVE-2023-4966 and carries a severity score of 9.4. In early November this year, cybersecurity researchers from Mandiant warned of hackers using Citrix Bleed to go after endpoints in government institutions and legal organizations globally. Mandiant said hackers were probably using it to hijack authentication sessions and steal corporate data since August 2023.


Active ransomware operation

Truth be told, CISA was already warning about Citrix Bleed earlier this year, but back then - there was no mention even of ransomware, let alone a specific RaaS such as LockBit.

“Historically, LockBit affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors—including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation,” CISA said in its advisory.

A patch has been available for roughly a month now, and all Citrix users are advised to apply it immediately because there are multiple threat actors out there hunting for unpatched and vulnerable instances and looking to deploy malware

LockBit is one of the most popular Ransomware-as-a-Service (RaaS) operators out there. Their affiliates were responsible for successful breaches at SpaceX, Boeing, the government of Canada, Microsoft, and countless others. The developers also seem to be careful not to target healthcare firms and other organizations whose disruption could lead to the loss of life: when an affiliate group targeted a children’s hospital in January this year, LockBit apologized, released the decryptor for free, and stopped working with the affiliate group in question.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.