LockBit ransomware affiliates, among other threat actors, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler ADC and Gateway appliances, according to a joint advisory from CISA, FBI, MS-ISAC, and ASD's ACSC. Known as Citrix Bleed (CVE-2023-4966), the vulnerability allows bypassing password requirements and multifactor authentication, enabling successful session hijacking. This grants malicious actors elevated permissions to harvest credentials, move laterally, and access data. Although Citrix addressed the flaw last month, it was weaponized as a zero-day since at least August 2023. LockBit has joined the exploitation, using the vulnerability to execute PowerShell scripts and deploy remote management tools for follow-on activities. The incident highlights the continued risk of exposed service vulnerabilities as primary entry points for ransomware attacks. Check Point's comparative study notes that Linux-targeting ransomware, prevalent in medium and large organizations, exhibits a trend towards simplification, relying heavily on external configurations and scripts. This minimalist approach enhances their ability to evade detection.