Pulse Detail — Threat Intelligence

PULSE NAME

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

WHITE AlienVault 2023-11-22 Modified: 2023-12-22

IOCs

MEDIUM VOLUME

CISA reports that Lockbit 3.0 affiliates are leveraging CVE 2023-4966 (Citrix Bleed) to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1082 T1556 T1539 T1059.001

MALWARE FAMILIES

LockBit

Indicators of Compromise (24)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2023-4966	—	2023-11-22
FileHash-MD5	6e8ca501c45a9b85fff2378cffaa24b2	—	2023-11-22
FileHash-MD5	d7addb5b6f55eab1686410a17b3c867b	MD5 of 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155	2023-11-22
FileHash-MD5	eb842a9509dece779d138d2e6b0f6949	—	2023-11-22
FileHash-SHA1	a54af16b2702fe0e5c569f6d8f17574a9fdaf197	SHA1 of 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155	2023-11-22
FileHash-SHA256	17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994	—	2023-11-22
FileHash-SHA256	498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155	—	2023-11-22
FileHash-SHA256	906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6	—	2023-11-22
FileHash-SHA256	98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9	—	2023-11-22
FileHash-SHA256	cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63	—	2023-11-22
FileHash-SHA256	e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068	—	2023-11-22
FileHash-SHA256	ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44	—	2023-11-22
URL	http://62.233.50.25/en-us/docs.html	—	2023-11-22
URL	http://62.233.50.25/en-us/test.html	—	2023-11-22
URL	http://81.19.135.219/F8PtZ87fE8dJWqe.hta	—	2023-11-22
URL	http://81.19.135.219:443/q0X5wzEh6P7.hta	—	2023-11-22
URL	https://adobe-us-updatefiles.digital/index.php	01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b	2023-11-22
YARA	0b9b6a9c1eb839e142fc4088ad43bdb4c52c3c9d	This is a hunting rule to detect FREEFIRE samples using OP code sequences in getLastRecord method	2023-11-22
YARA	0da7ee157236badc4568962b381cce811e0b0c1e	Detects trojan python samples	2023-11-22
YARA	3c47ed12de2d5c9d356a046885b867fceed3fdbb	Detects trojan DLL samples	2023-11-22
YARA	3c67d4f90206e692f9511426ac2bd4becaaa3851	Detects trojan .bat samples	2023-11-22
YARA	d6044e0f131429dc7b234c364349e60bb8ed0876	Detects trojan PE32 samples	2023-11-22
domain	adobe-us-updatefiles.digital	—	2023-11-22
hostname	unattended.techninline.net	—	2023-11-22

References (1)

↗ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a