Recently, I’ve been tracking LockBit ransomware group as they’ve been breaching large enterprises:
https://medium.com/media/672994faff856d59254df6496cee1a95/href
I thought it would be good to break down what is happening and how they’re doing it, since LockBit are breaching some of the world’s largest organisations — many of whom have incredibly large security budgets.
Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Recently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed. Prior reading:
Mass exploitation of CitrixBleed vulnerability, including a ransomware group
This has been done in a co-ordinated fashion amongst multiple LockBit operators — a strike team to break into organisations using CitrixBleed and then hold them to ransom.
The Strike
This vulnerability allows the bypass of all multi-factor authentication controls, and provides a point and click desktop PC within the impacted victim’s internal network via “VDI” — think Remote Desktop or RDP.
The patch became available on October 10th, however as of writing around five thousand organisations still have not installed the patch.
It is also incredibly easy to exploit, and initial exploitation has no logs at all as Citrix Netscaler/Gateway fails to log the exploit request — a product defect that Citrix really need to own and fix.
An initial challenge has been maintaining access, as hijacking a session boots off the legitimate user, and the legitimate user boots off the attacker when they reconnect.
To combat this, LockBit have been deploying remote access tools such as Atera — which does not trigger antivirus or EDR alerts — to allow remote, interactive PowerShell requests without any visible signs to the end user. This access also persists after patching CitrixBleed.
The Team
After access is obtained, the victims are passed to the execution team. This team escalates privileges via a variety of techniques, terminates EDR controls, steals data and ultimate deploys ran
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: