Ransomware Groups Attacks the Citrix Bleed Vulnerability and Critical ownCloud Vulnerabilities

Ransomware groups are taking advantage of a critical vulnerability discovered in NetScaler ADS (in the past known as Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, called Citrix Bleed.

On October 10, 2023, Citrix published a security advisory regarding the vulnerability and created a patch for the vulnerability, which can be employed to elude password protection and multifactor authentication. Vulnerability CVE-2023-4966, a buffer overflow vulnerability, is assigned a CVSS severity score of 9.4 out of 10. From August 2023, ransomware groups are exploiting the vulnerability in the wild. Threat actors could exploit the vulnerability and manipulate legitimate user sessions. The moment initial access is obtained, threat actors can alter privileges, gather credentials, move laterally, and access sensitive data and assets.

The vulnerability affects the following versions of Gateway and NetScaler ADC:

  • NetScaler ADC 12.1-FIPS 12.1-55.300 and succeeding versions of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and succeeding versions of 12.1-NDcPP
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and succeeding versions of 13.1-FIPS
  • NetScaler ADC and NetScaler Gateway  13.1-49.15 and succeeding versions of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and succeeding versions of 13.0
  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and succeeding versions

NetScaler ADC and NetScaler Gateway version 12.1 have reached End-of-Life (EOL). Users still using these versions have to update their units to an approved version.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) already listed the vulnerability in its directory of Identified Exploited Vulnerabilities last October 18, 2023, and released a security advisory regarding the vulnerability last November 21, 2023. This is for the reason that the vulnerability was exploited extensively by ransomware groups like the LockBit 3.0 ransomware group.

Last November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) published a major security advisor to the healthcare and public health (HPH) sector regarding the vulnerability along with an extra advisory on November 30, 2023, informing healthcare companies to patch the vulnerability right away to protect against exploitation. Utilizing the patch will avoid vulnerability exploitation; nevertheless, if it had been exploited, the breached sessions would still be live. The client should do something to make sure to clear out all active sessions.

To remove active and ongoing sessions after using the patch, admins must implement these instructions:

  • kill icaconnection -all
  • kill aaa session -all
  • kill pcoipConnection -all
  • kill rdp connection -all
  • clear lb persistent sessions

The user must likewise do something to consider possible vulnerability exploits. NetScaler has published guidance for assessments and CISA has published Indicators of Compromise associated with LockBit 3.0 along with the tactics, techniques, and procedures (TTPs) used by the group and mitigation tips for safeguarding against ransomware attacks.

The American Hospital Association has published a security advisory informing hospitals to accomplish the required action right away to avoid the Citrix Bleed vulnerability exploitation, given that ransomware groups are mainly attacking hospitals. This necessary advisory by HC3 shows the urgency of the Citrix Bleed vulnerability and the speedy need to establish the present Citrix patches and upgrades to safeguard systems as recommended by John Riggi, AHA’s national advisor for cybersecurity and risk. This concern likewise demonstrates the aggressiveness of international ransomware groups, primarily Russian-speaking ransomware groups, in constantly attacking healthcare systems and hospitals. Ransomware attacks disrupt and delay the provision of health care, putting patient lives in danger. Healthcare companies need to stay alert and reinforce their cyber defenses, considering that it is clear that cybercriminals will continue focusing on the field, especially all through the holiday season.

Alert Concerning Critical ownCloud Vulnerabilities

Three critical vulnerabilities were discovered in the ownCloud platform. One of the three vulnerabilities is actively exploited by malicious actors. It is necessary to take quick action to manage the vulnerabilities to protect sensitive systems anda data.

The healthcare industry widely uses the ownCloud platform for storing, synchronizing, and sharing data files and for working together and merging work processes. As a result, the platform is an appealing target for threat actors because it allows them to access highly sensitive data. The Clop hacking groups showed the problems associated with the vulnerabilities found in file sharing platforms when it exploited the vulnerabilities in the MOVEit Transfer solution of Progress Software and the GoAnywhere MFT of Fortra.

ownCloud published security advisories on November 21, 2023 concerning three vulnerabilities. One critical vulnerability was given a CVSS v3.1 severity score of 10, two vulnerabilities were assigned CVSS scores of 9 and 9.8. The cybersecurity firm Greynoise discovered the beginning of active vulnerabilities exploitation to be on November 25, 2023. The malicious activity began via 32 different IP addresses.

Critical vulnerability CVE-2023-49103 found in graphapi app versions 0.2.0 – 0.3.0 makes it possible for the exposure of sensitive data and configurations in containerized deployments. The graphapi app utilizes third-party library having a URL. Whenever accessing the link, the configuration details of the PHP environment are disclosed, which includes the factors of the webserver’s environment. In containerized deployments, the exposed information can include the ownCloud admin password, license key and mail server details. The vulnerability’s CVSS severity score is 10.

CVE-2023-49105, which is a critical WebDAV API authentication bypass vulnerability that use pre-signed URLs affects core 10.6.0 – 10.13.0 and can be exploited to access, alter, or eliminate any file without authentication when the username of the victim is determined and the victim is without a signing-key setting, which is the setting be dafault. The vulnerability has an assigned CVSS severity score of 9.8 out of 10.

CVE-2023-49104, which is a critical subdomain validation bypass vulnerability, is identified in oauth2 < 0.6.1. A threat actor could pass in a specifically made redirect-URL that bypass the validation code, allowing the attacker to redirect callbacks to a TLD under the attacker’s control. The vulnerability was assigned a CVSS severity score of 9.0.

The Health Sector Cybersecurity Coordination Center (HC3) published an advisory on December 5, 2023 https://www.hhs.gov/sites/default/files/owncloud-vulnerability-white-paper-tlpclear.pdf, telling HPH sector groups to do something immediately and carry out the actions recommended by ownCloud. Because this system is integrated into the data infrastructure of a client firm to work, giving attackers a target that could perhaps give access to sensitive information, and a holding position for further attacks.

At present, malicious actors actively exploit vulnerability CVE-2023-49103 in attacks in the wild. It is necessary to handle this vulnerability with great care. The other vulnerabilities should also be handled without delay since exploitation is likely.

ownCloud says that even though the graphapi application may be deactivated, that will not completely solve vulnerability CVE-2023-49103. It is also necessary to remove the owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file and the phpinfo function should be deactivated within Docker containers. Owncloud similarly recommends changing possibly exposed information such as the particulars for ownCloud admin, the mail server, the database, and the Object-Store/S3 access key. The suggested mitigations for the vulnerabilities are accessible on these URLs: CVE-2023-49103 mitigations, CVE-2023-49104 mitigations and CVE-2023-49105 mitigations.