#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

November 21, 2023 at 11:29AM

This joint Cybersecurity Advisory (CSA) aims to provide network defenders with information about the LockBit 3.0 ransomware and its exploitation of the CVE-2023-4966 vulnerability affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. The CSA includes tactics, techniques, and indicators of compromise (IOCs) obtained from various organizations, including Boeing. It is recommended that network administrators apply the provided mitigations and detection methods to protect their networks. Details of the vulnerability and threat actor activity are also provided.

Based on the meeting notes, the following are the key takeaways:

1. The joint Cybersecurity Advisory (CSA) is part of the ongoing #StopRansomware efforts to publish advisories for network defenders to protect against ransomware, specifically LockBit 3.0 ransomware exploiting CVE-2023-4966.

2. LockBit 3.0 affiliates have been observed exploiting CVE-2023-4966, labeled Citrix Bleed, to bypass password requirements and multifactor authentication (MFA) on Citrix NetScaler web application delivery control (ADC) and Gateway appliances.

3. LockBit 3.0 affiliates target organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation.

4. Network administrators are strongly encouraged to apply the recommended mitigations, which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center.

5. Network defenders should actively hunt for malicious activity on their networks using the provided detection methods and IOCs (Indicators of Compromise). If a compromise is detected, incident response recommendations should be followed. If no compromise is detected, patches should be applied immediately.

6. The CVE-2023-4966 vulnerability was found in Citrix NetScaler ADC and Gateway appliances and allows threat actors to bypass MFA and hijack legitimate user sessions.

7. LockBit 3.0 affiliates exploit CVE-2023-4966 by sending a crafted HTTP GET request with a modified HTTP Host header, leading to the vulnerable appliance returning system memory information and obtaining a valid NetScaler AAA session cookie.

8. Citrix has publicly disclosed CVE-2023-4966 and issued guidance, affected product details, IOCs, and recommendations.

9. The vulnerability impacts specific software versions of NetScaler ADC and Gateway, including older versions that have reached end-of-life.

10. Due to the ease of exploitation, widespread exploitation of the Citrix vulnerability is expected in unpatched software services across private and public networks.

These takeaways provide an overview of the meeting notes and highlight the important information discussed regarding LockBit 3.0 ransomware, the CVE-2023-4966 vulnerability, and the recommended actions for network defenders.

Full Article