The ransomware group, LockBit 3.0, targeted multinational corporation Boeing and other organizations by exploiting a vulnerability in Citrix’s software, commonly referred to as Citrix Bleed.
LockBit 3.0, a ransomware group based in Russia, recently admitted to being behind the attack on Boeing last month. According to CSO, LockBit later removed Boeing’s name from the leak site and pushed back the deadline for payment. Despite any potential negotiations between the two parties, the ransomware group went ahead and released approximately 50GB of data that they claimed to have stolen from Boeing’s systems. It is suspected that LockBit has targeted up to 800 organizations in 2023 alone.
Citrix Bleed Vulnerability
SC Media reported that LockBit showcased screenshots of stolen data from Boeing featuring a multitude of Citrix logs, indicating that the breach might have been enabled by exploiting the Citrix Bleed vulnerability. Boeing has verified that certain aspects of their parts and distribution enterprise encountered a cybersecurity event.
The Reuters news agency carried this statement from Boeing, one of the world’s largest aviation and defence contractors, “We are aware that, in connection with this incident, a criminal ransomware actor has released information it alleges to have taken from our systems. We continue to investigate the incident and will remain in contact with law enforcement, regulatory authorities, and potentially impacted parties, as appropriate.”
$90M Ransom Payments
LockBit has reportedly received ransom payments of up to $90 million from US organizations affected by their ransomware attacks according to CPO Magazine. These estimates cover the period from 2020 to mid-2023, highlighting the significant financial impact caused by LockBit since its inception in 2020. The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and Australian Cyber Security Center, issued an advisory after analyzing the data voluntarily provided by Boeing. “Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances,” said the cybersecurity advisory.
LockBit has swiftly risen to become the foremost ransomware menace worldwide within a span of just three years, states the New York Post. Notably, it is suspected to have targeted prominent entities such as the Industrial & Commercial Bank of China (ICBC), Allen & Overy law firm, and the UK’s Royal Mail. The assault on ICBC’s US division, the largest lender in China, was so severe that it caused trade disruptions in the US Treasury markets recently. Its impact has been particularly disruptive in the United States, affecting over 1,700 American organizations across various sectors including government departments, education, food, financial services, and transportation.
SentryBay Shields Sensitive Data
“As confirmed by CISA, multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments,” said Jeremy Greenwood, Enterprise Global Sales Lead, SentryBay. “SentryBay’s unique enforcement mechanism mitigates against token hijacking, which nullifies the Citrix Netscaler Bleed vulnerabilities. SentryBay stands ready to deliver protection to any organisations that need to shield sensitive data accessed via NetScaler.”
