Do you know if your network is vulnerable to LockBit 3.0 Ransomware crew getting into your network via NetScaler CVE-2023-4966 vulnerability? Boeing – a company with a powerful cybersecurity team – was penetrated by the LockBit crews using CVE-2023-4966. Is this your Thanksgiving holiday fun?
For those subscribed to Shadowserver free Cyber Civil Defence reporting, you can identify the risk via Device Identification Report. This is a report that lists out everything a Ransomware crew like Lockbit Ransomware & APT Affiliates. The free Shadowserver reporting will provide these vulnerable Citrix NetScaler devices using the Vulnerable HTTP Report (which lists all the vulnerable devices exploited via HTTP).
NetScaler CVE-2023-4966 exploitation attempts continue to be one of the most common attacks seen by Shadowserver’s honeypot sensor network.
(Source: Shadowserver Cyber Civil Defence Public Dashboard)
If you are not getting the Shadowserver Reports …..
Subscribe to Shadowserver’s Cyber Civil Defence Reports by completing the form. All information about your network is not sold or shared with unauthorized parties. Hence, Shadowserver checks the application details to validate your authorization. These Cyber Civil Defense Reports are more advanced than any “new” Attack Surface reports. They provide detailed, relevant, daily remediation reports about the state of your networks or constituency. ~50% of the data comes from the daily scanning. The other 50% comes from takedowns, sinkholes, malware C&C interception, malware binary analysis, DNS telemetry, and other incident/investigation telemetry.
There is no charge for this service. Our reports will provide you with a free daily potential attack surface report relevant to your organization’s network or constituency, as well as potential malware or other malicious activity seen originating from your network/constituency.
Shadowserver is supported by organizations with a vested business interest in making the Internet more secure by bringing vulnerabilities, malicious activity, and emerging threats to light. They support the Shadowserver Alliance and invest in expanding the capabilities and capacity of Shadowserver’s mission.
Do you have a vested business interest in reducing malware, exploitations, cyber insurance claims, and risks to our Digital Safety? If yes, reach out to Shadowserver and ask about the Alliance.
Now, what happened with the Five Eyes?
Joint advisories do not happen. When they happen, most of what needs to be said is TLP: RED. Think “lighting the Beacons of Gondor” when Joint Advisories from multiple countries are published. That is why responsible parties need to review these advisories. You get “what can be said” from active investigations, incidents, and postmortems.
Wake up and take notice when you see this type of statement in the CISA advisory:
“Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization.”
But don’t stop with CISA’s advisory. Each joint advisory is written in parallel, pulling insights from their constituency. It is a tool to explore what is happening in the parts of the exploitation iceberg you cannot see (because it is TLP: RED information). Read through all of them.
The problem is their recommendations:
“The authoring organizations encourage network defenders to hunt for malicious activity on their networks using the detection methods and IOCs within this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations. If no compromise is detected, organizations should immediately apply patches made publicly available.”
Why is a tool like Shadowserver’s reporting missing? If the Lockbit Ransomware & APT Affiliates are already in your network, use the TTPs in the report and start hunting over Thanksgiven. But first, pull down the Shadowserver reporting and see if you are at risk. If you are, fix it, THEN start hunting.
All the Advisories:
- ACSC: #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability
- CISA: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (Alert CodeAA23-325A)
- Citrix advisory: NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967
- NVDCVE-2023-4966: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
- LockBit ransomware attack attribution: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-exploits-citrix-bleed-in-attacks-10k-servers-exposed/
- Mandiant: Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966
- McAfee: What is Mshta, How Can it Be Used and How to Protect Against it (McAfee)
Are you looking for more practical, public-service Security Advice?
- Subscribe to the Senki Community Mailing List. Stay connected to Surfing Cybersecurity practical advice and critical “do this now” operation security recommendations by email.
- Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
- Ask questions to Barry Greene – bgreene@senki.org
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.