Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Updated November 30, 2023
Since our initial post, it has come to our attention that a LockBit affiliate has exploited the CitrixBleed vulnerability to gain initial access. This affiliate acted swiftly and effectively, locating sensitive files and proceeding to exfiltrate them using the rclone.exe tool.
Surprisingly, despite successfully exfiltrating the files, no endpoints or files were encrypted as typically seen in ransomware attacks. Instead, the LockBit affiliate employed a batch script named 1.bat to create a readme file called “!important_read_me!.txt” in every directory of the targeted file server from which they exfiltrated the files.
If a user opened the readme file, they were greeted with a message stating “Hello, this is LockBit,” and including a unique customer ID. The file also provided multiple links to onion sites where the impacted user could initiate negotiations using their customer ID.
Our team of security experts will provide updates if new relevant information becomes available.
Citrix Bleed (CVE-2023-4966) is a critical vulnerability affecting Citrix Netscaler Gateway and Netscaler ADC products—network devices used for load balancing, firewall implementation, traffic management, virtual private network (VPN), and user authentication. By exploiting this flaw, attackers may be able to retrieve sensitive information (including session authentication cookies) from vulnerable appliances and subsequently hijack a user’s session.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerability:
NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL) and is also vulnerable. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication products are not impacted.
Citrix released a patch for this flaw on October 10, 2023, but attackers have been abusing it as a zero-day vulnerability since late August 2023.
On October 25, 2023, researchers released a proof-of-concept (PoC) exploit for Citrix Bleed and noted that the vulnerability stems from a buffer-related flaw in Citrix NetScaler ADC and NetScaler Gateway that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
At least four different threat groups are exploiting Citrix Bleed and at least one has automated the attack chain. The US Cybersecurity and Infrastructure Security Agency (CISA) has released guidance for addressing this flaw, including patching vulnerable appliances.
In just two days—November 7 to 9, 2023—ReliaQuest has identified multiple unique customer incidents featuring Citrix Bleed exploitation. Both CISA and Citrix’s owner Cloud Software Group have stressed the urgency of taking remedial action as soon as possible.
ReliaQuest has observed consistent examples of exploitation in the wild for Citrix Bleed that have produced similar signals that can be utilized for detection purposes. Utilizing the Citrix ADC Syslog logging capability, the “TCPCONNSTAT” message under the “SSLVPN” function can uncover potential indicators of threat actors having exploited the vulnerability to hijack a user’s session.
Within the TCPCONNSTAT message, a mismatch between the fields “Client IP” and “Source” can be an indicator of a threat actor actively utilizing a previously authenticated session.
Use the following sigma rule to detect a concurrent Citrix user session from different IPs.
title: Concurrent Citrix User Session From Multiple IPs
description: This rule detects a potential exploitation of Citrix Bleed (CVE-2023-4966).
product: Citrix Netscaler
condition: selection and Client IP does not equal Source
- Legitimate causes such as changing networks, cycling on/off VPN
as well as DHCP can cause Client IPs to change during a session.
Note: While this can be a strong indicator for potential abuse of this vulnerability, there are certain caveats to consider.
ReliaQuest has identified multiple cases in customer environments in which threat actors have used the Citrix Bleed exploit. Having gained initial access, the adversaries quickly enumerated the environment, with a focus on speed over stealth. In some cases, the attackers moved quickly to identify and exfiltrate data shares; in other scenarios, the threat actor may have attempted to deploy ransomware. The following list enumerates MITRE ATT&CK techniques we have observed in one or more incidents.
Note: Although these are the most common techniques we have observed, additional techniques have triggered ReliaQuest detections. ReliaQuest has provided customers with a comprehensive set of detection rules both via email and within GreyMatter.
Security researchers have reported multiple cases of adversaries exploiting the Citrix Bleed vulnerability in the wild. Researchers estimate around 20,000 instances of Citrix devices have had session tokens stolen. Querying the internet server search service Shodan indicates that approximately 18,000 ADC appliances are still publicly available. With the release of a PoC, mass exploitation is highly likely to occur, affecting organizations that have not implemented the advised measures.
CISA and Cloud Software Group urge organizations running affected builds that have configured customer-managed NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server to install the following updated versions of NetScaler ADC and NetScaler Gateway as soon as possible:
NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL); CISA recommends upgrading appliances to one of the supported versions that address the vulnerabilities.
Organizations using NetScaler ADC or NetScaler Gateway instances on SDX hardware must upgrade VPX instances (the underlying SDX hardware itself is not affected).
NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway (VPN virtual server, ICA proxy, CVPN, or RDP proxy) or as an AAA virtual server (traditional load balancing configurations, for example) and related products such as NetScaler Application Delivery Management (ADM) and Citrix SD-WAN are not affected.
Cloud Software Group recommends killing all active and persistent sessions using the following commands:
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions
We have shared relevant detection information with our customers via email and within GreyMatter. Customers can reach out to their customer success managers for additional information.
We will also continue to update this blog as new information arises.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.