Last Week in Ransomware: 12.18.2023

Last week in ransomware news we saw the UK at risk of catastrophic ransomware attack, Wyoming shell companies leveraged in attacks, and LockBit observed exploiting Citrix Bleed vulnerability...

LockBit Exploits Citrix Bleed Vulnerability

In a collaborative effort, CISA, the FBI, the MS-ISAC, and the Australian Signals Directorate recently issued a joint Cybersecurity Advisory (CSA) that sheds light on a concerning development in the realm of cyber threats.  

LockBit ransomware operators are actively exploiting the Citrix Bleed vulnerability (CVE-2023-4966), affecting the Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.  

This vulnerability enables threat actors to bypass password requirements and multifactor authentication, leading to successful session hijacking, granting malicious actors elevated permissions for credential harvesting and unauthorized access.

The advisory emphasizes the urgency for network administrators to implement mitigations outlined in the CSA, which includes isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center.  

This news underscores a broader trend revealed by research earlier this year: the majority of ransomware-related vulnerability exploits targeted older bugs disclosed between 2010 and 2019, emphasizing the critical need for timely patching and system upgrades.

Despite the availability of patches, many organizations struggle to address vulnerabilities promptly due to various reasons. The complexity of patching processes, especially in environments with legacy systems or intricate internal scripts, can lead to delays.  

Additionally, organizations often need to conduct extensive testing in a development environment to avoid disrupting critical business systems during the implementation of updates.

Limited IT and security resources, especially in non-profit sectors or those operating on thin margins like healthcare and education, contribute to the delayed prioritization of timely patching.

The increasing exploitation of vulnerabilities by ransomware gangs highlights the evolution of their techniques, now resembling those seen in nation-state operations. The ongoing exploitation of CVE-2023-4966, known as Citrix Bleed, reveals a critical gap in organizations' cybersecurity postures and their ability to swiftly address emerging threats.

READ MORE HERE

Potential LockBit Leaks Site Takedown

In another development, reports suggest that law enforcement actions may have caused an outage on the BlackCat/ALPHV ransomware gang's leaks site.  

The disruption also impacted unique Tor negotiation URLs shared with victims, indicating potential law enforcement interference.  

BlackCat/ALPHV, identified in late 2021, stands out as an advanced ransomware family utilizing the Rust programming language, multiple encryption routines, and sophisticated techniques to disable security tools and hinder analysis.

READ MORE HERE

More Command-and-Control Providers (C2P) Exposed

The Command-and-Control Providers (C2P) landscape takes a new turn with reports documenting Wyoming-based LLCs being exploited as attack infrastructure by foreign threat actors.  

These LLCs, operating as C2Ps, enable cybercriminals to disguise malicious internet traffic as originating from the United States, leveraging the anonymity provided by LLC registrations.  

in August Reuters wrote about how anti-ransomware firm Halcyon uncovered an Iran-linked internet company registered in Wyoming called Cloudzy that was observed providing services to "a rogue's gallery" of state-sponsored espionage and cybercriminal threat actors through Wyoming-based company RouterHosting LLC.

These cases underscore the need for increased scrutiny of legal loopholes that allow C2Ps to operate without vetting customers, facilitating malicious activities while maintaining plausible deniability.

READ MORE HERE

UK Unprepared for Major Ransomware Attack

The UK's Joint Committee on the National Security Strategy (JCNSS) issued a stern warning, indicating a "high risk" of a catastrophic ransomware attack on the nation due to the government's inadequate response to the growing threat.  

The report criticizes the lack of focus on cybersecurity by key government agencies, with the Home Office showing minimal interest in the topic.  

The UK, deemed one of the world's most cyber-attacked nations, is urged to invest more in preventing potential catastrophic costs resulting from a major ransomware attack.

The report suggests that governments face a significant challenge in protecting organizations from ransomware attacks, given the ambiguity in determining root attribution. While law enforcement actions and sanctions against ransomware operators are necessary, there is a need for a strategic shift, especially as ransomware attacks increasingly target critical Linux systems.  

The targeting of Linux systems poses a substantial threat, as these systems underpin critical operations in various sectors, and the lack of adequate security measures makes them an attractive target for ransomware gangs.

The evolving landscape of cybersecurity threats demands a multi-faceted approach, encompassing timely patching, enhanced scrutiny of legal frameworks facilitating malicious activities, and a strategic focus on protecting critical systems like Linux.  

The intersection of nation-state tactics with cybercriminal operations reinforces the urgency for governments and organizations to adapt and strengthen their defenses against a rapidly growing and sophisticated threat landscape.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.