A recently discovered serious security vulnerability in Citrix NetScaler application delivery control (ADC) and Gateway appliances is being aggressively used by a number of threat actors, including affiliates of the LockBit ransomware, in order to gain early access to target environments. The Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have all contributed to the joint advice.
“Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances,” the agencies stated.