LockBit ransomware group assemble strike team to breach banks law firms and governments by Kevin Beaumont Nov 2023 DoublePulsar
pSign upppSign InppSign upppSign InppKevin BeaumontppFollowppDoublePulsarppppListenppShareppRecently Ive been tracking LockBit ransomware group as theyve been breaching large enterprisesppI thought it would be good to break down what is happening and how theyre doing it since LockBit are breaching some of the worlds largest organisations many of whom have incredibly large security budgetsppThrough data allowing the tracking of ransomware operators it has been possible to track individual targets Recently it has become clear they have been targeting a vulnerability in Citrix Netscaler called CitrixBleed Prior readingppdoublepulsarcomppThis has been done in a coordinated fashion amongst multiple LockBit operators a strike team to break into organisations using CitrixBleed and then hold them to ransomppThe StrikeppThis vulnerability allows the bypass of all multifactor authentication controls and provides a point and click desktop PC within the impacted victims internal network via VDI think Remote Desktop or RDPppThe patch became available on October 10th however as of writing around five thousand organisations still have not installed the patchppIt is also incredibly easy to exploit and initial exploitation has no logs at all as Citrix NetscalerGateway fails to log the exploit request a product defect that Citrix really need to own and fixppAn initial challenge has been maintaining access as hijacking a session boots off the legitimate user and the legitimate user boots off the attacker when they reconnectppTo combat this LockBit have been deploying remote access tools such as Atera which does not trigger antivirus or EDR alerts to allow remote interactive PowerShell requests without any visible signs to the end user This access also persists after patching CitrixBleedppThe TeamppAfter access is obtained the victims are passed to the execution team This team escalates privileges via a variety of techniques terminates EDR controls steals data and ultimate deploys ransomwareppThe VictimsppI am tracking over 10 victims currently being extorted and lots more in initial stages As a sample these includeppOther victims with unpatched Citrix Netscaler devices for CitrixBleed on Shodan include Boeing one of the worlds largest defence companies and DP World a large freight shipping company that Australia relies uponppMost of the victims are not listed on LockBits portal which suggests they are negotiating payment or have already paidppSo whatppRansomware groups are often staffed by almost all teenagers and havent been taken seriously for far too long as a threat They are a threat to civil society as long as organisations keep payingppFocusing on cybersecurity fundamentals for enterprise scale organisations is a challenge as often people are chasing after the perceived next big thing metaverse remember that NFTs generative AI without being able to do the fundamentals well Large scale enterprises need to be able to patch vulnerabilities like CitrixBleed quicklyppThe cybersecurity reality we live in now is teenagers are running around in organised crime gangs with digital bazookas They probably have a better asset inventory of your network than you and they dont have to wait 4 weeks for 38 people to approve a change request for patching 1 thingppKnow your network boundary and risky products as well as LockBit do You need to be able to identify and patch something like CitrixBleed within 24 hours if you cannot there is a very real possibility it isnt the ideal product fit for your organisation due to the level of risk it poses and you need to rethink if the architecture of your house is fit for purposeppVendors like Citrix need to have clear statements of intent for securing their products as piling on patch after patch after patch is not sustainable for many organisations or customers should opt with their wallets for more proven solutions The reality is many vendors are shipping appliance products with cybersecurity standards worse than when I started my career in the late 90s while also advertising themselves as the experts Marketing is a hell of a drugppIn the case of ICBC the worlds biggest bank Reuters report the bank has paid the ransomppwwwreuterscomppThis feeds into my earlier blog about ransomwareppdoublepulsarcomppBy LockBit earning hundreds of millions of dollars they are able to purchase new exploits tools resources and people to carry out attacksppHow are schools libraries and small business the life blood of the global economy with usually small IT budgets and nobody responsible for cybersecurity supposed to compete with teenagers who have bigger attack budgets than their entire IT budget for a year or in many cases a decadeppGovernments need to aggressively pursue ransomware and stop payments It is not a solved problem Vendors need to make better secured products or be forced into action by governments We need to break this cycle where civil society is suffering Lets get to workppppppDoublePulsarppEverything here is my personal work and opinionsppKevin BeaumontppinppDoublePulsarpppp1ppKevin BeaumontppinppDoublePulsarpppp4ppKevin BeaumontppinppDoublePulsarpppp8ppKevin BeaumontppinppDoublePulsarpppp5ppAnton ChuvakinppinppAnton on Securitypppp5ppIgnacio de Gregoriopppp128ppmthchtppinppDetect FYIpppp1ppEnrique DansppinppEnrique Danspppp44ppVicente Aceituno CanalppinppThe CISO DenppppHelen Pattonpppp2ppHelpppStatusppAboutppCareersppBlogppPrivacyppTermsppText to speechppTeamsp