Multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments.
The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC).
“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”
Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability was addressed by Citrix last month but not before it was weaponized as a zero-day at least since August 2023. It has been codenamed Citrix Bleed.
Shortly after the public disclosure, Google-owned Mandiant revealed it’s tracking four different uncategorized (UNC) groups involved in exploiting CVE-2023-4966 to target several industry verticals in the Americas, EMEA, and APJ.
The examination of various Linux-targeting ransomware families “reveals an interesting trend towards simplification, where their core functionalities are often reduced to just basic encryption processes, thereby leaving the rest of the work to scripts and legitimate system tools.”
Check Point said the minimalist approach not only renders these ransomware families heavily reliant on external configurations and scripts but also makes them more easier to fly under the radar.
Source: https://thehackernews.com/
