Cyber security News
From Search Results to Malware Lures: SEO Poisoning
Qakbot: The Evil Duck Reappears
Structural Foundations of Windows Architecture
LockBit 3.0 and Citrix Bleed Vulnerability (CVE-2023-4966)
Generative AI and Cybersecurity: New Threat Landscape
LockBit Ransomware Surge in 2023: A Record-Breaking Menace
Microsoft’s November 2023 Patch:Confronts Five Zero-Day Threats
Threat of Malvertising in the Cybersecurity Landscape
Cybersecurity News: Nov 5-Nov 11
What it takes to be a proficient threat hunter

Secknowers

The one who knows Security

News Threat Intel

LockBit 3.0 and Citrix Bleed Vulnerability (CVE-2023-4966)

The Cybersecurity and Infrastructure Security Agency (CISA) issued an important advisory. It focuses on LockBit 3.0 ransomware. This ransomware exploits the CVE-2023-4966 vulnerability, also known as Citrix Bleed​​. LockBit 3.0 targets various critical sectors. It uses Citrix Bleed to bypass multifactor authentication (MFA). This vulnerability is in Citrix NetScaler ADC and Gateway appliances.

Citrix Bleed vulnerability is exploited by affiliates of LockBit 3.0. This vulnerability enables attackers to circumvent password protocols and multifactor authentication (MFA). As a result, they can hijack legitimate user sessions on Citrix NetScaler ADC and Gateway systems. By gaining control of these sessions, the attackers obtain higher access levels, allowing them to gather credentials, navigate across the network, and access various data and resources.

Affected Citrix NetScaler Versions

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC and NetScaler Gateway version 12.1 (EOL)
  • NetScaler ADC 13.1FIPS before 13.1-37.163
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Indicators of Compromise (IOC)

IP Addresses

  • 192.229.221[.]95: Calls out to this IP address are made by Mag.dll. It ties back to dns0.org.
  • 193.201.9[.]224: An FTP to this Russian geolocated IP from a compromised system.
  • 62.233.50[.]25: Another Russian geolocated IP.
  • 51.91.79[.]17: Associated with Temp.sh IP.
  • 70.37.82[.]20: Seen from a known compromised account reaching out to an Altera IP address.
  • 185.17.40[.]178: Teamviewer LockBit C2, linked to a Polish service provider.
  • 172.67.129[.]176 and 104.21.1[.]180: Used to download obfuscated toolsets

Tools

Remote Administration : Teamviewer, AnyDesk, Splashtop.

Network Scanning and Command Execution: Plink.exe, Netscan.exe.

PowerShell Scripts:123.ps1

Persistence Mechanism

Scheduled Tasks: \MEGA\MEGAcmd, UpdateAdobeTask

MITRE ATT&CK Tactics AND Techniques

Technique IDTechnique Name Use
T1082System Information
Discovery		Threat actors will attempt to obtain information
about the operating system and hardware,
including versions, and patches.
T1556.006 Modify Authentication Process: Multi-Factor AuthenticationThreat actors leverage vulnerabilities found within
CVE- to compromise, modify, and/or bypass
multifactor authentication to hijack user sessions,
harvest credentials, and move laterally, which
enables persistent access.
T1539Steal Web Session CookieThreat actors with access to valid cookies can
establish an authenticated session within the
NetScaler appliance without a username,
password, or access to multifactor authentication
(MFA) tokens.

More actionable intelligence can be obtained from the Alienvault OTX Pulse.

Related Post

News

From Search Results to Malware Lures: SEO Poisoning

News Threat Intel

Qakbot: The Evil Duck Reappears

Threat Intel

LockBit Ransomware Surge in 2023: A Record-Breaking Menace