Pulse Detail — Threat Intelligence

PULSE NAME

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

WHITE AlienVault 2023-11-22 Modified: 2023-12-22

IOCs

MEDIUM VOLUME

CISA reports that Lockbit 3.0 affiliates are leveraging CVE 2023-4966 (Citrix Bleed) to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1082 T1556 T1539 T1059.001

MALWARE FAMILIES

LockBit

Indicators of Compromise (3 / 24 total)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	6e8ca501c45a9b85fff2378cffaa24b2	—	2023-11-22
FileHash-MD5	d7addb5b6f55eab1686410a17b3c867b	MD5 of 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155	2023-11-22
FileHash-MD5	eb842a9509dece779d138d2e6b0f6949	—	2023-11-22

References (1)

↗ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a