US, Australian security agencies warn of LockBit 3.0 ransomware exploiting Citrix Bleed vulnerability

The U.S. and Australian security agencies rolled out Tuesday a joint cybersecurity advisory that disseminates IOCs (indicators of compromise), TTPs (tactics, techniques, and procedures), and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed. The security vulnerability affects Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. 

The advisory “provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) said in the advisory. “Other trusted third parties have observed similar activity impacting their organization.”

Last week, the LockBit ransomware gang published data stolen from aerospace company Boeing. Before the leak, LockBit hackers said that Boeing ignored warnings that data would become publicly available and threatened to publish a sample of about 4GB of the most recent files. LockBit ransomware has leaked more than 43 GB of files from Boeing after the company refused to pay a ransom.

​​Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows hackers to bypass password requirements and multi-factor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web ADC and Gateway appliances. Through the takeover of legitimate user sessions, malicious hackers acquire elevated permissions to harvest credentials, move laterally, and access data and resources.

Historically, LockBit affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. 

The Citrix Bleed software vulnerability was found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023. The vulnerability provides hackers, including LockBit 3.0 ransomware affiliates, the capability to bypass MFA and hijack legitimate user sessions.

“After acquiring access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens,” the advisory disclosed. “Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information. The information obtained through this exploit contains a valid NetScaler AAA session cookie.”

Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix Bleed vulnerability in unpatched software services throughout both private and public networks. 

The advisory pointed out that the malware identified in this campaign is generated beginning with the execution of a PowerShell script (123[dot]ps1), which concatenates two base64 strings together, converts them to bytes, and writes them to the designated filepath. The resulting file (adobelib[dot]dll) is then executed by the PowerShell script using rundll32[dot]rundll32. 

The Dynamic Link Library (DLL) will not execute correctly without the 104 hex character key, the advisory pointed out. “Although adobelib[dot]dll and the adobe-us-updatefiles[dot]digital have the appearance of legitimacy, the file and domain have no association with legitimate Adobe software and no identified interactions with the software,” it added. 

The advisory identified other observed activities including the use of a variety of TTPs commonly associated with ransomware activity. “For example, LockBit 3.0 affiliates have been observed usingAnyDesk and Splashtop remote management and monitoring (RMM), Batch and PowerShell scripts, the execution of HTA files using the Windows native utility mshta[dot]exe and other common software tools typically associated with ransomware incidents,” it added.

“Network defenders should prioritize observing users in session when hunting for network anomalies. This will aid the hunt for suspicious activity such as installing tools on the system (e.g., putty, rClone), new account creation, log item failure, or running commands such as hostname, quser, whoami, net, and taskkill,” the advisory detailed. “Rotating credentials for identities provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detection.”

Organizations are encouraged to assess Citrix software and their systems for evidence of compromise and to hunt for malicious activity. If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as install malicious code.

CISA and the authoring organizations called upon network administrators to apply various mitigations identified in the Citrix Bleed advisory, which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center. 

The advisory called upon critical infrastructure organizations to Isolate NetScaler ADC and Gateway appliances for testing until patching is ready and deployable, and secure remote access tools by implementing application controls to manage and control the execution of software, including allowlisting remote access programs. They must also limit the use of RDP and other remote desktop services, restrict the use of PowerShell using Group Policy, and only grant access to specific users on a case-by-case basis.

It also urged organizations to implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. It further requires all accounts with password logins to comply with NIST’s standards for developing and managing password policies. 

Also, the agencies encouraged network defenders to hunt for malicious activity on their networks using the detection methods and IOCs within this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations. If no compromise is detected, organizations should immediately apply patches made publicly available.

CISA announced last week a pilot program designed to deliver cybersecurity shared services voluntarily to critical infrastructure entities that are most in need of support. The agency has acted as a managed service provider (MSP) to the federal civilian government for years and observed significant risk reduction along with the benefits of cost-savings and standardization.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.