Hello to all of you. 🙂
Introduction:
The recently discovered Citrix Bleed vulnerability (CVE-2023-4966) poses a serious threat to computer security. Stemming from a security flaw in Citrix products, this vulnerability has the potential to allow malicious actors to infiltrate systems and gain access to sensitive information.
Vulnerability Description:
Citrix Bleed points to a specific security vulnerability in Citrix products. This flaw, by permitting unauthorized access, enables attackers to breach systems and access user data. Exploiting this vulnerability, adversaries can infiltrate corporate networks and compromise confidential information.
CVE-2023-4966 Details:
The Citrix Bleed vulnerability is identified by the CVE-2023-4966 number. Originating from a code weakness in specific Citrix products, Citrix recommends users promptly address this issue by applying security patches.
Affected Products/Versions:
The Citrix Bleed vulnerability impacts specific Citrix products. The following versions of NetScaler ADC and Gateway devices are affected by this security flaw:
- NetScaler ADC and NetScaler Gateway 14.1-pre-14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1-pre-13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0-pre-13.0-92.19
- NetScaler ADC 13.1-FIPS, 13.1-37.164-pre
- NetScaler ADC 12.1-FIPS, 12.1-55.300-pre
- NetScaler ADC 12.1-NDcPP 12.1-55.300-pre
Users should verify if they are affected by checking Citrix’s official security advisories.
Protection and Measures:
Citrix strongly recommends users promptly apply security patches related to this vulnerability. Additionally, keeping security software up to date, adopting strong password policies, and monitoring network traffic are crucial protective measures.
Threat Actor Operations
In the context of this campaign, the malware initiation process commences with the execution of a PowerShell script (123.ps1). This script amalgamates two base64 strings, transforms them into bytes, and then deposits the resulting content into the specified file path.
Subsequently, the executed PowerShell script triggers the operation of the resulting file (adobelib.dll) using rundll32.
rundll32 C:\Users\Public\adobelib.dll,main <104 hexadecimal character key>
It’s crucial to note that the Dynamic Link Library (DLL) will only execute successfully when accompanied by the specific 104-character hexadecimal key. Post-execution, the DLL endeavors to dispatch a POST request to https://adobe-us-updatefiles[.]digital/index.php, with associated IP addresses identified as 172.67.129[.]176 and 104.21.1[.]180 as of November 16, 2023. Despite the seemingly legitimate appearance of adobelib.dll and the adobe-us-updatefiles[.]digital domain, neither is affiliated with authentic Adobe software, and no discernible connection with the legitimate software has been identified.
Other noteworthy activities encompass a spectrum of Tactics, Techniques, and Procedures (TTPs) commonly linked to ransomware operations. LockBit 3.0 affiliates, for instance, employ remote management and monitoring (RMM) tools such as AnyDesk and Splashtop, leverage Batch and PowerShell scripts, execute HTML Application (HTA) files via the native Windows utility mshta.exe, and utilize various software tools typically associated with ransomware incidents.
Detection Rules:
Sigma Rule: Citrix Bleed CVE-2023-4966 Vulnerability
title: Possible Citrix Bleed CVE-2023-4966 Vulnerability (via webserver)
id: aaa4dd85-c5d5-4079-aee2-3cc2c48501d9
status: stable
description: This rule detects posible Citrix Bleed CVE-2023-4966 Vulnerability attempt.
author: Mehmet Kadir CIRIK
references:
- https://www.cyfirma.com/outofband/citrix-bleed-cve-2023-4966-vulnerability-analysis-and-exploitation/
- https://github.com/0xKayala/CVE-2023-4966/blob/main/banner.py
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: GET
c-uri|contains:
- 'oauth/idp/.well-known/openid-configuration'
condition: selection
falsepositives:
- Vulnerability scanners application
level: critical
QRADAR:
SELECT UTF8(payload) FROM events WHERE UTF8(payload) ILIKE '%GET%' AND "URL" ILIKE '%oauth/idp/.well-known/openid-configuration%'
Splunk:
index=* (cs-method="GET" AND (c-uri="*oauth/idp/.well-known/openid-configuration*"))
ArcSight:
(requestMethod = "GET" AND (requestUrl CONTAINS "oauth/idp/.well-known/openid-configuration"))
Sigma Rule 2: StopRansomware – LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability
title: Suspicious StopRansomware - LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability via Detected of Associated Command Line Parameters (via process_creation)
id: 6f6a3a76-45fb-4ce3-b81a-8de3b349655b
status: stable
description: This rule detects attempts to StopRansomware LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability.
author: Mehmet Kadir CIRIK
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
tags:
- attack.execution
- attack.persistence
- attack.t1053
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: \rundll32.exe
CommandLine|contains|all:
- '\Users\Public'
- 'adobelib.dll'
- 'main'
condition: selection
falsepositives:
- Unknown
level: high
QRADAR:
SELECT UTF8(payload) FROM events WHERE UTF8(payload) ILIKE '%12%' AND CATEGORYNAME(category)='Process Creation Success' AND "Image" ILIKE '%\rundll32.exe' AND "Process CommandLine" ILIKE '%\Users\Public%' AND "Process CommandLine" ILIKE '%adobelib.dll%' AND "Process CommandLine" ILIKE '%main%'
Splunk:
index=* source="WinEventLog:*" AND (Image="*\\rundll32.exe" AND (CommandLine="*\\Users\\Public*") AND (CommandLine="*adobelib.dll*") AND (CommandLine="*main*"))
CrowdStrike:
(ImageFileName="*\\rundll32.exe" AND ((CommandHistory="*\\Users\\Public*") OR (CommandLine="*\\Users\\Public*")) AND ((CommandHistory="*adobelib.dll*") OR (CommandLine="*adobelib.dll*")) AND ((CommandHistory="*main*") OR (CommandLine="*main*")))
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
- https://github.com/0xKayala/CVE-2023-4966/blob/main/banner.py
- https://www.cyfirma.com/outofband/citrix-bleed-cve-2023-4966-vulnerability-analysis-and-exploitation/
