Vulnerability in Citrix’s software, known as Citrix Bleed, was exploited by a ransomware group, LockBit 3.0, to attack aviation giant Boeing and other organizations.
Last month, Russia-based ransomware group LockBit 3.0 claimed responsibility for the attack on Boeing. Subsequently, it removed Boeing’s name from the leak site and extended the deadline from November 2 to November 10. However, talks between Boeing and LockBit 3.0, if any, were not successful, as the latter published about 50GB of data allegedly stolen from Boeing’s systems. LockBit is believed to have hacked as many as 800 organizations in 2023 alone.
“We are aware that, in connection with this incident, a criminal ransomware actor has released information it alleges to have taken from our systems,” Boeing said in a statement. “We continue to investigate the incident and will remain in contact with law enforcement, regulatory authorities, and potentially impacted parties, as appropriate.”
According to some estimates, US organizations hit by LockBit paid the ransomware gang as much as $90 million as ransom between 2020 and mid-2023. Since its formation in 2020, LockBit has emerged as one of the world’s biggest hacking groups.
Advisory based on data shared by Boeing
Based on the data “voluntarily shared” by Boeing, a cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and Australian Cyber Security Center.
“Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances,” said the advisory.
The advisory shared the tactics, techniques, and procedures “voluntarily shared” by Boeing. The flaw was fixed by Citrix last month. However, by then, it was already being exploited by several malicious elements. Post issuing the patch, Citrix urged the users to install the patch immediately.
“Exploits of this vulnerability have been reported. If you are using the affected builds of NetScaler ADC and NetScaler Gateway, we strongly urge you to install the updated builds as soon as possible,” NetScaler said in a blog post.
“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources,” it added.
As per media reports, CISA has informed around 300 organizations so they could address the flaw to protect their systems.
Growing LockBit 3.0 horror
LockBit is also believed to have attacked the Industrial & Commercial Bank of China (ICBC), Allen & Overy law firm, and the UK’s Royal Mail, among others. The attack on the US arm of ICBC, China’s biggest lender, was so severe that it led to the disruption of trade at US Treasury markets recently.
The ICBC bank is believed to have paid ransom to LockBit to regain control of its systems. Surprisingly, ICBC reported a hack after about a month of Citrix releasing a patch. A delay in installing the patch possibly led to the incident.