Stemming the Citrix Bleed Vulnerability with ActiveAI Platform

Darktrace investigates the exploitation of Citrix Bleed (CVE-2023-4966) on a customer network in late 2024 and how its Self-Learning AI helped track post-compromise activity and identify affected devices. The piece outlines initial access, beaconing, lateral movement, data exfiltration, and how anomaly-based detection can identify emerging threats beyond traditional rules. #CitrixBleed #CVE-2023-4966 #Darktrace #ScreenConnect #TotalNetworkInventory #NTLMBruteForce

Keypoints

Darktrace used its Self-Learning AI and PTN/SOC triage to detect and investigate Citrix Bleed exploit activity on a customer network.
The Citrix Bleed vulnerability (CVE-2023-4966) allows attackers to hijack sessions and bypass MFA, enabling initial access and potential data theft or ransomware deployment.
Early indicators included unusual external SSH connections from rare endpoints, signaling initial access activity before a formal SOC alert.
Attackers moved laterally and performed C2 activities using remote management tools (ScreenConnect, Fixme IT) and downloaded tools such as tniwinagent.exe (Total Network Inventory).
Defense evasion involved legitimate tools (ScreenConnect) and domains (Fixme.it) being used for C2 and persistence, highlighting the risk of trusted software being leveraged by attackers.
The campaign included reconnaissance and lateral movement (SMB/NTLM activity, DCE-RPC binds, and PSEXESVC-based remote execution), data staging with WinRAR, and substantial data exfiltration to cloud storage services (MEGA, 4sync, file.io, easyupload.io).

MITRE Techniques

[T1190] Exploit Public-Facing Application – The vulnerability allowed outside parties to hijack legitimate user sessions, thereby bypassing password and multifactor authentication (MFA). Quote: ‘The vulnerability, which impacts the Citrix Netscaler Gateway and Netscaler ADC products, allows for outside parties to hijack legitimate user sessions, thereby bypassing password and multifactor authentication (MFA) requirements.’
[T1567.002] Exfiltration to Cloud Storage – Data was exfiltrated to MEGA and other cloud services over TLS/SSL, with additional storage services involved. Quote: ‘they sent large outbound volumes of data to MEGA file storage sites using TLS/SSL over port 443… additional file storage services during this exfiltration event, including 4sync, file[.]io, and easyupload[.]io.’
[T1021] Remote Services – Attackers used ScreenConnect for C2 communications and remote management, with PsExec (PSEXESVC.exe) facilitating remote code execution. Quote: ‘ScreenConnect itself was the subject of a separate critical vulnerability… used by threat actors to carry out C2 communication… PSEXESVC.exe, which was ultimately used by attackers to conduct remote code execution.’
[T1007] System Service Discovery – RPC commands were used to enumerate services and endpoints (e.g., ‘RPC commands to enumerate services running on the device’).
[T1105] Ingress Tool Transfer – Downloaded suspicious executables such as tniwinagent.exe (Total Network Inventory) for optional tooling and lateral movement. Quote: ‘devices downloading suspicious executable files, including “tniwinagent.exe”, which is associated with the tool Total Network Inventory.’
[T1021.002] Remote Services – Lateral movement via SMB and IPC$ shares, including PSEXESVC.exe usage. Quote: ‘DCE-RPC binds of numerous internal devices to IPC$ shares’ and ‘PSEXESVC.exe … used by attackers to conduct remote code execution.’
[T1560] Archive Collected Data – Preparation for exfiltration included WinRAR data compression on SMB writes. Quote: ‘SMB writes of the WinRAR data compression tool, in what likely represented preparation for the compression of data prior to data exfiltration.’
[T1107] File Deletion – Attacker activity included deleting files via SMB (e.g., MSI related to Action1). Quote: ‘devices deleting files through SMB around this time.’
[T1562.001] Impair Defenses – Tools designed to evade antivirus, e.g., m.exe used to prevent antivirus programs from launching. Quote: ‘a file … m.exe … could be a malicious tool used to prevent antivirus programs from launching or running on a network.’
[T1110.001] NTLM Brute Force – The network showed widespread failed NTLM authentication attempts. Quote: ‘one device was observed making widespread failed NTLM authentication attempts on the network.’

Indicators of Compromise

[IP Address] 168.100.9[.]137 – SSH connection to a rare external IP used during initial access. Context: unusual external connectivity observed from a critical server.
[IP Address] 45.134.26[.]2 – Another rare endpoint contacted during beaconing/initial access stages. Context: external connectivity observed to this IP.
[IP Address] 204.155.149[.]37 – Listed as a potential malicious endpoint in IoCs. Context: suspected endpoint contact.
[Domain] cat2.hbwrapper[.]com – Likely malicious endpoint used in the campaign. Context: IoC listed in appendix.
[Domain] aj1090[.]online – Likely malicious endpoint used in the campaign. Context: IoC listed in appendix.
[Domain] 4sync[.]com – Domain associated with Fixme It used for exploitation; IoC listed. Context: domain-based activity.
[Domain] file[.]io – Cloud storage domain involved in exfiltration. Context: IoC listed.
[Domain] easyupload[.]io – Cloud storage domain involved in exfiltration. Context: IoC listed.
[File] tniwinagent.exe – Executable associated with Total Network Inventory used during the operation. Context: downloaded/executed on devices.
[File] m.exe – Executable suspected as a tool to evade antivirus. Context: OSINT indicates malicious tool usage.
[File] PSEXESVC.exe – PsExec-like remote execution tool used by attackers. Context: remote code execution observed.
[Domain] mega[.]nz – Cloud storage domain used for large-scale data exfiltration. Context: MEGA file storage sites cited.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print