A critical vulnerability in Citrix NetScaler web application delivery control and NetScaler Gateway appliances, known as Citrix Bleed (CVE-2023-4966), has been linked to cyberattacks against government and critical infrastructure organizations. The vulnerability allows attackers to bypass authentication and multifactor authentication, leading to session hijacking and potential data breaches.
A recent joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), FBI, Multi-State Information Sharing and Analysis Center, and the Australian Cyber Security Centre (ACSC) confirmed that threat actors are actively exploiting this vulnerability. The advisory provides detailed information about the vulnerability, including indicators of compromise, observed tactics, techniques and procedures, and detection methods.
One group of threat actors identified exploiting Citrix Bleed is known to be associated with the LockBit 3.0 ransomware gang. LockBit has a history of targeting organizations in critical infrastructure sectors, including government, healthcare, finance, energy, and education.
Cybersecurity experts are urging organizations to take immediate action to mitigate the risk of Citrix Bleed. This includes applying the latest patches released by Citrix in October 2023, searching for evidence of compromise, and taking appropriate response measures.
“This vulnerability requires immediate attention, especially for organizations in critical infrastructure sectors,” said a spokesperson for CISA. “We strongly encourage all organizations to patch their systems immediately and follow the guidance provided in the joint advisory.”
The advisory also recommends taking additional steps to secure Citrix NetScaler appliances, such as enabling session recording and logging, restricting access to the management interface, and disabling unused features.