CitrixBleed Linked to Ransomware Hit on Chinas State-Owned Bank

CISA this week joined several others in urging customers of Citrix NetScaler devices not to delay patching any longer amid reports of mass-exploit activity; 5,000 ors remain exposed.

A disruptive ransomware attack on Industrial and Commercial Bank of China (ICBC) this week, may be tied to a critical vulnerability that Citrix disclosed in its NetScaler technology last month and highlights why organizations need to immediately patch against the threat if they haven’t done so already.
The so-called “CitrixBleed” vulnerability (
CVE-2023-4966
) affects multiple on-premises versions of Citrix NetScaler ADC and NetScaler Gateway application delivery platforms.
The vulnerability has a severity score of 9.4 out of a maximum possible 10 on the CVSS 3.1 scale and gives attackers a way to steal sensitive information and hijack user sessions.
Mass Exploitation
Threat actors have been
actively exploiting the flaw
since August 2023, or several weeks before Citrix issued updated versions of affected software on October 10. Researchers at Mandiant who discovered and reported the flaw to Citrix have also strongly recommended that organizations
terminate all active sessions
on each affected NetScaler device because of the potential for authenticated sessions to persist even after the update.
The ransomware attack on the US arm of the state owned ICBC, one of the largest banks in the world, appears to be one public manifestation of the exploit activity. In a
statement
earlier this week, the bank disclosed that it had experienced a ransomware attack on Nov 8 that had disrupted some of its systems. The
Financial Times
and other outlets quoted sources as informing them about LockBit ransomware operators as being behind the attack.
Security researcher
Kevin Beaumont pointed to an unpatched Citrix NetScaler at ICBC
box on Nov 6 as one potential attack vector for the LockBit actors. “As of writing this toot, over 5000 orgs still haven’t patched
#CitrixBleed
,” Beaumont said. “It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs - it gives attackers a fully interactive Remote Desktop PC the other end.”
Attacks on unmitigated NetScaler devices have assumed
mass exploitation
status in recent weeks. Publicly available
technical details
of the flaw has fueled at least some of the activity.
A report from
ReliaQuest this week indicated that at least four organized threat groups
are currently targeting the flaw. One of the groups has automated exploitation of CitrixBleed. ReliaQuest reported observing “multiple unique customer incidents featuring Citrix Bleed exploitation” just between Nov 7 and Nov 9.
“ReliaQuest has identified multiple cases in customer environments in which threat actors have used the Citrix Bleed exploit,” ReliaQuest said. “Having gained initial access, the adversaries quickly enumerated the environment, with a focus on speed over stealth,” the company noted. In some incidents the attackers exfiltrated data and in others they appear to ahev attempted to deploy ransomware, ReliaQuest said.
Latest data from Internet traffic analysis firm GreyNoise shows attempts to exploit CitrixBleed from at least
51 unique IP addresses
—down from around 70 in late October.
CISA Issues Guidance on CitrixBleed
The exploit activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue
fresh guidance
and resources this week on addressing the CitrixBleed threat. CISA warned of “active, targeted exploitation” of the bug in urging organizations to “update unmitigated appliances to the updated versions” that Citrix released last month.
The vulnerability itself is a buffer overflow issue that enables sensitive information disclosure. It affects on-premises versions of NetScaler when configured as an Authentication, Authorization and Accounting (AAA) or as a gateway device such as a VPN virtual server or an ICA or RDP Proxy,
Citrix has described the flaw as remotely exploitable and involving low attack complexity, no special privileges, and no user interaction.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CitrixBleed Linked to Ransomware Hit on Chinas State-Owned Bank