The Cybersecurity and Infrastructure Security Agency, the FBI, the Multi-State Information Sharing and Analysis Center and the Australian Cyber Security Center have issued a joint cybersecurity advisory concerning the ongoing exploit of the Citrix Bleed vulnerability by LockBit 3.0 ransomware affiliates and multiple other threat actors.
CISA said Tuesday that the advisory contains indicators of compromise and tactics, techniques and procedures used by ransomware attackers.
The joint advisory explains that the Citrix Bleed vulnerability enables malicious actors to take over legitimate user sessions of Citrix NetScaler web application delivery control and Gateway appliances by bypassing passwords or multifactor authentication.
The advisory goes on to note that Citrix Bleed is typically taken advantage of by actors using LockBit, which, as of 2022, was the most deployed type of ransomware around the world, according to CISA. Attackers using LockBit have targeted various organizations across different sectors, including critical infrastructure, government, manufacturing and education.
Network defenders should work to detect malicious activity on their systems, the cyber advisory says, adding, “If a potential compromise is detected, organizations should apply the incident response recommendations. If no compromise is detected, organizations should immediately apply patches made publicly available.”