Threat Research

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA

Securonix

LockBit 3.0 affiliates exploited CVE-2023-4966 (Citrix Bleed) to gain initial access to Citrix NetScaler ADC/Gateway appliances, bypass MFA, and hijack legitimate sessions to harvest credentials and move laterally. The advisory outlines attacker TTPs, IOCs, and mitigations, urging patching, network isolation, and proactive hunting to defend affected organizations.

Keypoints

  • LockBit 3.0 affiliates exploited CVE-2023-4966 (Citrix Bleed) to gain initial access and target organizations across sectors, including Boeing.
  • The vulnerability enables bypassing MFA and hijacking valid sessions, allowing attackers to harvest credentials and access data.
  • A PowerShell-based loader (123.ps1) concatenates base64 strings, writes adobelib.dll, and executes it via rundll32 to run the payload.
  • The DLL payload communicates with a C2 endpoint (POST to adobe-us-updatefiles.digital), resolving to IPs 172.67.129.176 and 104.21.1.180.
  • Attackers deploy a mix of ransomware‑adjacent tools and RMM software (AnyDesk, Splashtop, TeamViewer, ScreenConnect) and use HTA via mshta.exe, Plink port forwarding, and PsExec‑type techniques.
  • The campaign documents credential dumping/LSASS memory techniques (Mimikatz, LSASS memory dumps) and remote command execution (wmiexec, WinRM) as part of lateral movement.
  • MITRE-aligned detection and mitigation guidance include isolating vulnerable NetScaler devices, patching, enhanced PowerShell logging, and YARA rules for Citrix Bleed artifacts.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability CVE-2023-4966 is used to access NetScaler appliances and bypass MFA, enabling session hijacking. [‘This vulnerability provides threat actors, including LockBit 3.0 affiliates, the capability to bypass MFA [T1556.006] and hijack legitimate user sessions [T1563].’]
  • [T1059.001] PowerShell – Execution of a PowerShell script (123.ps1) concatenates base64 strings and writes payload to disk. [‘The campaign begins with the execution of a PowerShell script (123.ps1) which concatenates two base64 strings together, converts them to bytes, and writes them to the designated file path.’]
  • [T1218.011] Rundll32 – The payload DLL is executed via rundll32, with a 104-hex-character key required for correct execution. [‘The Dynamic Link Library (DLL) will not execute correctly without the 104 hex character key. Following execution, the DLL attempts to send a POST request to https://adobe-us-updatefiles.digital/index.php…’]
  • [T1071.001] Web Protocols – The DLL payload communicates to a remote endpoint via HTTP(s) POST to a C2 domain/IP. [‘POST request to https://adobe-us-updatefiles.digital/index.php which resolves to IP addresses 172.67.129.176 and 104.21.1.180.’]
  • [T1021] Remote Services – Use of AnyDesk/Splashtop/other RMM tools for remote access and control. [‘AnyDesk and Splashtop remote management and monitoring (RMM)…’]
  • [T1047] Windows Management Instrumentation (WMI) – Tooling such as wmiexec for remote command execution and WinRM-based sessions. [‘wmiexec.exe usage’]
  • [T1053.005] Windows Scheduled Task – Persistence via scheduled tasks (e.g., MEGAMEGAcmd, UpdateAdobeTask). [‘Scheduled task: MEGAMEGAcmd’, ‘Scheduled task: UpdateAdobeTask’]
  • [T1003.001] OS Credential Dumping – LSASS memory dumps and credential theft (Mimikatz). [‘LSASS memory dump to disk’ and related tooling like Mimikatz.]
  • [T1539] Steal Web Session Cookie – Attackers obtain valid session cookies to impersonate users. [‘acquire a valid NetScaler AAA session cookie’]
  • [T1082] System Information Discovery – Actors gather OS/hardware information during reconnaissance. [‘System Information Discovery’]

Indicators of Compromise

  • [IP] context – 192.229.221.95, 193.201.9.224 (C2/hosting indicators mentioned in campaign)
  • [IP] context – 172.67.129.176, 104.21.1.180 (C2 endpoints associated with adobe-us-updatefiles.digital)
  • [Domain] context – dns0.org (ties back to C2 domain/referenced infrastructure)
  • [Domain] context – assist.zoho.eu (zoho assist domain observed in related activity)
  • [Filename] context – 123.ps1 (PowerShell loader script)
  • [Filename] context – adobelib.dll (DLL payload used in the chain)
  • [Tool] context – AnyDesk (remote admin tool used as part of intrusion)
  • [Tool] context – TeamViewer (remote admin tool observed in campaign)

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint