CISA, FBI, MS-ISAC, and ASD’s ACSC Release Advisory on LockBit Affiliates Exploiting Citrix Bleed

Release Date

Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: LockBit Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (along with an accompanying analysis report MAR-10478915-1.v1 Citrix Bleed), in response to LockBit 3.0 ransomware affiliates and multiple threat actor groups exploiting CVE-2023-4966. Labeled Citrix Bleed, the vulnerability affects Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

Historically, LockBit affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors—including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. The joint CSA provides tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs).

If compromise is detected, the authoring organizations encourage network defenders hunt for malicious activity on their networks using the detection methods and IOCs provided within the CSA and apply the incident response recommendations. Additionally, immediate application of publicly available patches is also recommended. For more information, visit StopRansomware and see the updated #StopRansomware Guide.

This product is provided subject to this Notification and this Privacy & Use policy.