On November 21, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA) that disseminates Indicators of Compromise (IOCs), Tactics, Techniques and Procedures (TTPs), and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
This joint CSA is part of their ongoing #StopRansomware effort to arm network defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.
LockBit is a ransomware family active since September 2019 that operates under the Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct the intrusion and conclude with the delivery of LockBit, which handles the negotiations and payment of the ransom. Since LockBit operates under a RaaS model, there isn’t a standard intrusion playbook used by affiliates.
AttackIQ has previously released an attack graph in response to CSA AA23-075A, which emulates the behaviors exhibited during various activities conducted by this infamous Ransomware against multiple targets worldwide. For further coverage and details, we suggest the reader visit the blog published on March 16, 2023.
AttackIQ has released a new assessment template that emulates the observed capabilities of LockBit affiliates during an incident in which they exploited the Citrix Bleed vulnerability (CVE-2023-4966) with the aim of helping customers validate their security controls and their ability to defend against this relevant threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against behaviors observed during an incident that led to the deployment and execution of LockBit 3.0.
- Assess their security posture against a highly prolific and opportunistic affiliate that has been observed to exploit critical vulnerabilities in the wild.
- Continuously validate detection and prevention pipelines against other affiliates who will likely leverage similar techniques in their own intrusions.
[CISA AA23-320A] #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability
This assessment template emulates the different Tactics, Techniques, and Procedures (TTPs) observed by Boeing during an incident in which LockBit affiliates exploited the vulnerability CVE-2023-4966 to access Boeing Distribution Inc, its parts and distribution business that maintains a separate environment.
The template is divided into Tactics, and these group the Techniques and Implementations used by LockBit’s affiliates at each stage of their attack.
- Execution: Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.System Binary Proxy Execution: Rundll32 (T1218.011):
RunDll32is a native system utility that can be used to execute DLL files and call a specific export inside the file. This scenario executes
RunDll32with an AttackIQ DLL and calls an export to mimic previously reported malicious activity.System Binary Proxy Execution: Mshta (T1218.010):
Mshta.exeis a native Windows utility that threat actors can abuse to download remote payloads that include VBScript code.
- Persistence: Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task named
- Lateral Movement: Consists of the techniques adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it.Remote Services: Windows Remote Management (T1021.006): This scenario will attempt to use Windows Remote Management (WinRM) to move laterally to any available system within the network.
- Command and Control: Techniques that adversaries may use to communicate with systems under their control within a victim network.Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review CISA’s Patching and Detection Recommendations:
CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.
2. Scheduled Task/Job: Scheduled Task (T1053.005)
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.
With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task
Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)
MITRE ATT&CK has the following mitigation recommendations for Scheduled Task
- M1047 – Audit
- M1028 – Operating System Configuration
- M1026 – Privileged Account Management
- M1018 – User Account Management
3. Remote Services: Windows Remote Management (T1021.006)
Adversaries may abuse Windows Remote Management (WinRM) in conjunction with valid accounts to move laterally to remote systems. The WinRM utility can be run directly from any number of programs, such as the command line or PowerShell.
Numerous detection opportunities exist for WinRM, such as monitor network data for uncommon data flows, monitor for newly constructed network connections, and monitor for newly executed service processes such as wmiprvse.exe on destination hosts.
MITRE ATT&CK has the following mitigation recommendations for Windows Remote Management
- M1042 – Disable or Remote Feature or Program
- M1030 – Network Segmentation
- M1026 – Privileged Account Management
In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by LockBit affiliates. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.