Citrix customers urged to patch as ransomware gang takes credit for hacking major companies
They say security researchers hackers are mass exploiting a critical rating vulnerability in Citrix NetScaler systems to launch devastating cyber attacks against large organizations worldwide.
These cyberattacks have so far included aerospace giant Boeing. the world’s largest bank, ICBC. one of the largest port companies in the world, DP World. and international law firm Allen & Overy, according to reports.
Thousands of other organizations remain unpatched against the vulnerability, officially monitored as CVE-2023-4966 and named “CitrixBleed”. The majority of affected systems are located in North America, according to non-profit threat monitoring program Shadowserver Foundation. The US government’s cyber security agency CISA also sounded the alarm in an advisory urging federal agencies to repair against the flaw being actively exploited.
Here’s what we know so far.
What is CitrixBleed?
On October 10, network equipment maker Citrix disclosed the vulnerability affecting on-premise versions of the NetScaler ADC and NetScaler Gateway platforms, which are used by large enterprises and governments for application delivery and VPN connectivity.
The flaw is described as a sensitive information disclosure vulnerability that allows remote, unauthenticated attackers to extract large amounts of data from the memory of a vulnerable Citrix device, including sensitive session tokens (hence the name “CitrixBleed”). The flaw requires little effort or sophistication to exploit, allowing hackers to steal and use legitimate session tokens to compromise a victim’s network without needing a password or using two factors.
Citrix released patches, but a week later, on October 17, it updated its advisory to advise that it had observed an exploit in the wild.
Early victims include professional services, technology and government organizations, according to incident response giant Mandiantwhich said it launched the investigation after discovering “multiple instances of successful exploitation” as early as late August before Citrix made patches available.
Robert Knapp, head of incident response at cybersecurity firm Rapid7 — which also started investigating the error after identifying a potential exploit of the bug on a customer’s network — said the company has also noticed attackers targeting organizations across healthcare, manufacturing and retail.
“Rapid7 incident responders observed both lateral movement and data access during our investigations,” Knapp said, suggesting that hackers can gain broader access to victims’ network and data after an initial compromise.
Big casualties
Cybersecurity firm ReliaQuest said Last week has evidence that at least four threat groups – which it did not name – are using CitrixBleed, with at least one group automating the attack process.
One of the threat actors is believed to be the Russian-linked LockBit ransomware gang, which has already claimed responsibility for several large-scale breaches believed to be related to CitrixBleed.
Security researcher Kevin Beaumont wrote in a blog post On Tuesday that the LockBit gang last week broke into the US branch of the Industrial and Commercial Bank of China (ICBC) – said to be the world’s largest lender by assets – compromising an unpatched Citrix Netscaler box. The outage disrupted the banking giant’s ability to clear trades. According to Bloomberg on Tuesdaythe company has yet to restore normal operations.
ICBC, which reportedly paid LockBit’s ransom demand, declined to respond to TechCrunch’s questions, but said in a statement on its website that it “experienced a ransomware attack” that “resulted in an outage to some systems.”
LockBit representative he told Reuters on Monday that ICBC “paid a ransom – the deal was closed,” but provided no evidence for its claim. LockBit too said the vx-underground malware research team that ICBC paid a ransom, but declined to say how much.
Beaumont he said in a post on Mastodon that Boeing also had an unpatched Citrix Netscaler system at the time of the LockBit breach, citing data from Shodan, a search engine for exposed databases and devices.
Boeing spokesman Jim Proulx told TechCrunch that the company is “aware of a cyber incident affecting elements of our parts and distribution operations,” but did not comment on LockBit’s alleged publication of stolen data.
Allen & Overy, one of the world’s largest law firms, also operated an affected Citrix system at the time of its compromise, Beaumont noted. LockBit added both Boeing and Allen & Overy to its dark web leak site, which ransomware gangs commonly use to extort victims by publishing files unless victims pay a ransom.
Allen & Overy spokeswoman Debbie Spitz confirmed the law firm had experienced a “data incident” and said it was “assessing exactly what data was affected and we are notifying affected clients.”
The Medusa ransomware gang also exploits CitrixBleed to compromise targeted organizations, Beaumont said.
“We would expect CVE-2023-4966 to be one of the top vulnerabilities used regularly from 2023,” Rapid7 head of vulnerability research Caitlin Condon told TechCrunch.
