Joint Cybersecurity Advisory – #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit Citrix Bleed Vulnerability

Today, CISA, the FBI, the Multi-State Information Sharing & Analysis Center (MS-ISAC), and the Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: LockBit Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (along with an accompanying analysis report MAR-10478915-1.v1 Citrix Bleed), in response to LockBit 3.0 ransomware affiliates and multiple threat actor groups exploiting CVE-2023-4966. Labeled Citrix Bleed, the vulnerability affects Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

Historically, LockBit affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors—including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. The joint CSA provides tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs).

If compromise is detected, the authoring organizations encourage network defenders hunt for malicious activity on their networks using the detection methods and IOCs provided within the CSA and apply the incident response recommendations. Additionally, immediate application of publicly available patches is also recommended. For more information, visit StopRansomware and see the updated #StopRansomware Guide.

Additionally, the FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with LockBit 3.0 affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at re****@**sa.gov or (888) 282-0870.

Access the CSA below and at CISA.