The LockBit ransomware attacks have become even more sophisticated by using the latest vulnerabilities.
Authorities from Australian cybersecurity officials, the FBI, and the CISA have jointly released a security advisory on how the group is exploiting the CitrixBleed vulnerability.
Though the exploit came into the limelight a month ago, many enterprises have been slow to patch their gear. The ShadowServer Foundation shows more than 3,000 affected devices, mostly in North America and Europe.
CISA ordered all federal civilian agencies on Oct. 18 to patch the bug and gave a deadline of Nov. 8 to complete the task. Obviously, as the graph shows, that hasn’t completely happened.
Boeing’s parts and distribution business, being one of the victims of this vulnerability which was attacked earlier this month with this exploit. The company confirmed it was hit with the latest LockBit ransomware, which leveraged Citrix Bleed to hijack legitimate user sessions on Citrix NetScaler web application delivery controllers and Gateway appliances.
Once inside a target’s network, the hackers employ various remote and networking monitoring tools to gain further access and locate the ultimate server that will be encrypted with the ransomware.
The researchers posted the screenshot below showing the victim portal that offers a chat-based dialog along with a trial decrypt button to test the presence of LockBit.
That post also describes other details about the group, including the evolution of negotiation tools and techniques and its latest efforts at rebranding. Yes, even ransomware groups have to keep their brands front and center.
