Rewterz Threat Alert – Critical Citrix Bleed Vulnerability Exploited in LockBit Ransomware Attacks – Active IOCs

Severity

High

Analysis Summary

Various threat actors, including affiliates of the LockBit ransomware group, are currently taking advantage of a recently disclosed vulnerability in Citrix NetScaler application delivery control (ADC) and Gateway appliances. This flaw is being exploited as a means to gain initial access to targeted environments. The advisory regarding this situation is a collaborative effort from several cybersecurity entities, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC). The joint advisory underscores the severity and urgency of the issue, bringing together the expertise of multiple organizations to address and mitigate the threat posed by the exploitation of the Citrix NetScaler vulnerability.

“Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation,” reads the report.

LockBit 3.0 affiliates have been known to be leveraging Citrix Bleed for a while as it allows the attackers to bypass security like password requirements and multifactor authentication (MFA), which in turn leads to the hijacking of legitimate user sessions successfully on Citrix NetScaler ADC and Gateway applications. All this requires elevated permissions for harvesting credentials, accessing data and resources, and moving laterally across the network.

This security flaw is tracked as CVE-2023-4966 with a CVSS score of 9.4 and was addressed by Citrix in October. However, it has been weaponized as a zero-day vulnerability since as early as August 2023. A while after it was publicly disclosed, Google’s researchers said that they had been tracking four different uncategorized (UNC) groups that were exploiting CVE-2023-4966 for targeting multiple industries in the Americas, APJ, and EMEA.

LockBit, the newest threat actor to engage in exploitation, has been identified leveraging the disclosed security flaw. This actor is utilizing the vulnerability to execute PowerShell scripts and deploy remote management and monitoring (RMM) tools such as AnyDesk and Splashtop for subsequent actions. This occurrence reaffirms the persistent reality that vulnerabilities in publicly accessible services remain a primary avenue for initiating ransomware attacks.

The disclosure comes as cybersecurity analysts released a study of ransomware attacks that target Windows and Linux that showed a majority of ransomware families targeting Linux to use the OpenSSL library with AES/RSA and ChaCha20/RSA algorithms. Linux ransomware also seems to target medium and large organizations as compared to Windows ransomware, which aims more at the general user base.

Impact

• Information Disclosure
• Security Bypass
• Sensitive Information Theft
• Financial Loss

Indicators of Compromise

IP

• 192.229.221.95
• 193.201.9.224
• 62.233.50.25
• 51.91.79.17
• 185.17.40.178
• 45.129.137.233
• 81.19.135.219

MD5

• acbabe0d638b3e321237f820219fc216
• 047ffba81cfbde1ff8ef49a77c7699eb

SHA-256

• cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63
• ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44

SHA-1

• 46a8022ce445f74acec30bbbd589d3ad1ee6d483
• be9ecfa72e173799f350f5936b6b33bfcbf2f80b

Domain Name

• adobe-us-updatefiles.digital

Remediation

• Refer to Citrix Security Advisory for patch, upgrade or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.