Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Publication Date: 2024-06-14
Meta Description: Citrix Bleed 2 exploited by ransomware groups; critical threat leveraging BYOVD and supply chain credential compromise. Admins and SecOps need rapid patching, credential rotation, and targeted detection to mitigate risk.
Citrix Bleed 2: Ransomware’s Favorite Playground (Again)
Threat Summary / TL;DR
Ransomware groups are exploiting Citrix Bleed 2 (CVE-2023-4966), bypassing authentication in NetScaler Gateway and ADC appliances. Attackers are pairing it with Bring Your Own Vulnerable Driver (BYOVD) techniques and leveraging compromised supply chain credentials. If you manage Citrix, RMM tools, or AD service accounts, you’re in the blast radius. Patch now, rotate credentials, and monitor for kernel driver abuse—this attack is landing in real environments.
Author Byline
Jake Brody – Principal DevSecOps Engineer, 17 years in the trenches (finance, healthcare, US Federal); led incident response for 2017 NotPetya in a Fortune-100, and containment of Citrix CVE-2019-19781 at a major healthcare provider. Find me at LinkedIn or BrodySecOps.com.
Who’s At Risk
- Enterprises running vulnerable Citrix NetScaler/ADC.
- Organizations relying on RMM tools (e.g., ConnectWise, TeamViewer).
- Any shop with flat AD architecture, legacy service accounts, or poorly controlled supply chain integrations.
- CISOs, SecOps, and IT admins—especially those who haven’t patched since Q1.
How They Do It: Attack Flow
1. Initial Access:
Citrix Bleed 2 allows attackers to bypass authentication and extract session tokens. See CVE-2023-4966 advisory.
2. Credential Dumping:
Compromised supply chain creds (often via API leaks or third-party mishandling) enable lateral movement; attackers target domain admin-level accounts.
3. BYOVD:
Threat actors load vulnerable drivers (e.g., HackSysExtremeVulnerableDriver) to escalate privileges and disable security tools, per Microsoft’s BYOVD guidance.
4. Living-Off-the-Land:
Attackers use legitimate RMM tools for remote command and control.
5. Ransom Deployment:
Anubis and other ransomware families move quickly, encrypting file shares via SMB, leveraging MITRE ATT&CK techniques like T1133 (External Remote Services) and T1569 (System Services).
Composite Incident: How “Best Practices” Get You Owned
Picture an incident from late 2023—a composite, but all factually drawn from recent IR cases.
Pager goes off at 2:14 AM. Lateral movement detected via ConnectWise in a healthcare environment. Triage reveals attackers exploiting Citrix ADC (unpatched, CVE-2023-4966 status), then dumping credentials using LSASS, and loading a vulnerable driver (HackSysExtremeVulnerableDriver.sys) to disable EDR. We locked down AD accounts, changed MS-DHCP configs, and spent days parsing Citrix logs for evidence. Key failure? Service accounts granted domain admin, stale supply chain API keys, and RMM consoles exposed outside trusted VLANs.
Indicators & Detection Recipes
Log Sources & Artifacts
- Citrix NetScaler/ADC logs (auth events, session extraction, admin logins).
- Event Logs:
- AD Security Event ID 4624 (logons), 4720/4726 (account creation/deletion).
- Sysmon: ProcessCreate events (e.g., driver loads, suspicious RMM execution).
- RMM process logs: Unexpected scheduling, admin access from odd IP ranges.
- Kernel driver loads:
- Look for unsigned/non-Microsoft drivers, especially in C:\Windows\Temp or System32\Drivers.
Behavioral Indicators
- Rapid creation/deletion of accounts in AD.
- Unusual PowerShell or rundll32 command lines (often base64-encoded).
- RMM tool usage outside normal maintenance windows, new admin sessions.
- LSASS process dumps (look for procdump.exe, comsvcs.dll, or unusual svchost behavior).
Sample Detections
- Splunk Query:
- Search EventCode=4624 AND (AccountName="svc*" OR AccountName="admin*") AND WorkstationName!="expected-host"
- Sigma Rule Reference:
- Sysmon Query:
- event_id: 1 AND (Image="ConnectWise" OR Image="TeamViewer") AND NOT ParentImage="expected-admin-console"

Immediate Playbook (0–24h)
- Isolate compromised Citrix appliances and affected hosts (network quarantine).
- Preserve evidence:
- Dump volatile memory, save NetScaler logs, snapshot affected endpoints.
- Rotate all privileged service accounts—especially those with domain rights.
- Revoke/replace supply chain API keys and secrets exposed in any .env/.config file.
- Patch Citrix NetScaler/ADC to fixed version.
- Block vulnerable driver loads using WDAC, HVCI/Memory Integrity (Microsoft docs).
- Audit RMM consoles: Enforce MFA and conditional access, restrict to trusted VLANs, alert on off-hours logins.
Medium-term Fixes (24–90d)
- Implement LAPS (Microsoft LAPS documentation) for local admin password rotation.
- Move service accounts to short-lived credentials; use managed identities in cloud environments.
- Apply CIS Controls (CIS Control documentation).
- Establish conditional access policies for all admin consoles; hardware-backed MFA (FIDO2, Yubikey) only.
- Segregate RMM tools into isolated networks; enforce certificate pinning/mTLS.
Long-term Hardening
- Decommission unsupported Citrix infrastructure—if vendors won’t patch, remove it.
- Apply MITRE ATT&CK mappings to detection strategies; review Initial Access (T1190), Credential Dumping (T1003), and BYOVD exploitation (T1068).
- Automate secrets rotation; validate via quarterly audits.
- Enforce WDAC and block unsigned kernel drivers across >95% of endpoints.
Success Criteria
- Citrix NetScaler/ADC running fixed version (check via management console).
- Service and admin credentials rotated and validated (no stale accounts).
- No vulnerable driver loads for 30+ days (audit logs).
- SIEM detects all off-hours RMM tool invocations; false positive rate <10%.
- MFA in place for every admin console, verified quarterly.
Limitations / Sources
All technical details sourced from Citrix advisory CTX561482, CISA alerts, Microsoft BYOVD blog, MITRE ATT&CK (attack.mitre.org). Composite incident built from public postmortems; no confidential information disclosed. Detection recipes leverage Sigma rules, Splunk, Sysmon, and CIS guidance; readers should adapt to their environment.
Last Word
Security debt accumulates. Ignore it, and attackers will collect. Question is: next quarter, will your team be patching, or explaining to executives how a five-year-old config got you owned?