LockBit ransomware affiliates actively exploiting Citrix Bleed vulnerability

LockBit ransomware affiliates are actively exploiting the “Citrix Bleed” vulnerability, a new cyber security advisory has warned. The advisory, published by the US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC) and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), disseminates the tactics being used by the threat actors to exploit the flaw which affects Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

Citrix Bleed (CVE-2023-4966) allows threat actors to exploit  and bypass password requirements and multifactor authentication (MFA), to hijack legitimate user sessions and acquire elevated permissions to harvest credentials, move laterally and access data and resources.

CISA and the authoring organizations strongly encourage network administrators to implement mitigations which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center, the advisory read.

Citrix Bleed likely to be widely exploited in private and public networks

Due to the ease of the exploitation of CVE-2023-4966, CISA and the authoring organizations stated that they expect to see “widespread exploitation” of the vulnerability in unpatched software services throughout both private and public networks. “Malware identified in this campaign is generated beginning with the execution of a PowerShell script which concatenates two base64 strings together, converts them to bytes and writes them to the designated file path,” according to the advisory.

Hunting for Citrix Bleed compromise and LockBit activity

Organizations are encouraged to assess Citrix software and systems for evidence of compromise, and to hunt for malicious activity. “If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious code.”

Network defenders should prioritize observing users in session when hunting for network anomalies. This will aid the hunt for suspicious activity such as installing tools on the system, new account creation, log item failure or running commands such as hostname, quser, whoami, net and taskkill, the advisory read. “Rotating credentials for identities provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detection,” it added.

The following procedures can help identify potential exploitation of CVE-2023-4966 and LockBit 3.0 activity:

• Search for filenames that contain tf0gYx2YI to identify LockBit encrypted files.
• LockBit 3.0 actors were seen using the C:\Temp directory for loading and the execution of files.
• Investigate requests to the HTTP/S endpoint from WAF.
• Hunt for suspicious login patterns from NetScaler logs.
• Hunt for suspicious virtual desktop agent Windows Registry keys.
• Analyze memory core dump files.

If a potential compromise is detected, organizations should:

• Quarantine or take offline potentially affected hosts.
• Reimage compromised hosts.
• Create new account credentials.
• Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.

How to mitigate Citrix Bleed exploitation threats

The advisory recommended organizations to implement the mitigations below to reduce the risk of compromise associated with Citrix CVE 2023-4966 and LockBit 3.0 ransomware and ransomware affiliates:

• Isolate NetScaler ADC and Gateway appliances for testing until patching is ready and deployable.
• Secure remote access tools by implementing application controls to manage and control the execution of software, including allowlisting remote access programs.
• Strictly limit the use of remote desktop protocol (RDP) and other remote desktop services.
• Restrict the use of PowerShell.
• Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions.
• Enable enhanced PowerShell logging.
• Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers.
• Require all accounts with password logins to comply with NIST’s standards for developing and managing password policies.
• Keep all operating systems, software and firmware up to date.

“In addition to applying mitigations, CISA recommends exercising, testing and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework,” the advisory stated.

Earlier this month, LockBit operators published 43GB of data stolen from Boeing after the aerospace giant refused to give in to ransom demands following a cyber attack.