Ransomware
CISA Advisory AA23-325A / Computer Weekly / Help Net Security
Primary Source βIncident Details
LockBit 3.0 affiliates exploited Citrix Bleed (CVE-2023-4966) to breach Boeing Distribution Inc. (parts and distribution business). Session token extraction from Citrix NetScaler memory allowed auth/MFA bypass. Ransomware deployed; employee PII exfiltrated. LockBit initially listed Boeing on leak site Nov 2023. CVE-2023-4966 actively exploited since Aug 2023. Also exploited in attacks on Industrial & Commercial Bank of China (ICBC - disrupted US Treasury bond market), DP World Australia, Allen & Overy law firm. CVSS 9.4.
Technical Details
- Initial Attack Vector
- CWE-200: Exposure of Sensitive Information (Citrix Bleed - memory disclosure of valid session tokens enabling auth bypass)
- Vendor / Product
- Citrix NetScaler ADC / NetScaler Gateway
- Malware Family
- LockBit 3.0
- CVE / GHSA References
- CVE-2023-4966
Timeline
- 2023-10-01 Breach occurred
- 2023-11-01 Publicly disclosed
- unknown Customers notified