Hackers are exploiting the ‘CitrixBleed’ bug in the latest wave of mass cyberattacks

Citrix customers urged to patch as ransomware gang leads hacking of major companies

Security researchers say Hackers are exploiting a critical vulnerability in Citrix NetScaler systems to launch crippling cyberattacks against large organizations around the world.

These cyberattacks so far include aerospace giant Boeing; the world’s largest bank, ICBC; one of the world’s largest port operators, DP World; and international law firm Allen & Overy, according to reports.

Thousands of other organizations remain unpatched against the vulnerability, officials said CVE-2023-4966 and is called “CitrixBleed.” Most of the affected systems are located in North America, according to nonprofit threat tracker Shadowserver Foundation. The US government’s cybersecurity agency CISA has also sounded the alarm in an advisory urging federal agencies to patch against actively exploited error.

Here’s what we know so far.

What is CitrixBleed?

On October 10, network equipment maker Citrix disclosed a vulnerability affecting on-premise versions of the NetScaler ADC and NetScaler Gateway platforms, which are used by large enterprises and governments for application delivery and VPN connections.

The flaw is described as a sensitive information disclosure vulnerability that allows remote unsuspecting attackers to extract large amounts of data from a vulnerable Citrix device memory, including sensitive session tokens (hence the name “CitrixBleed.”) The bug requires little effort or complexity to exploit. , which allows hackers to hijack and use legitimate session tokens to compromise a victim’s network without requiring a password or using two factors.

Citrix released patches, but a week later on October 17 updated its advisory to announce that it had observed an exploit in the wild.

Early victims include professional services, technology, and government organizations, according to incident response giant Mandiantwhich said it began investigating after discovering “several instances of successful exploitation” as early as late August before Citrix made patches available.

Robert Knapp, head of incident response at cybersecurity firm Rapid7 — again started investigating the bug after finding a potential exploit bug in a customer’s network — said the company has also observed attackers targeting organizations across healthcare, manufacturing, and retail.

“Rapid7 incident responders observed lateral movement and access to data during the course of our investigations,” Knapp said, suggesting that hackers may have gained broader access to the network and data on victims after the first compromise.

Big victims

Cybersecurity company ReliaQuest said last week it has evidence that at least four threat groups – which it did not name – are exploiting CitrixBleed, with at least one group automating the attack process.

One of the threat actors is believed to be the Russian-linked LockBit ransomware gang, which has already claimed responsibility for several major breaches believed to be related to CitrixBleed.

Security researcher Kevin Beaumont wrote in a blog post Tuesday the LockBit gang last week hacked the US branch of the Industrial and Commercial Bank of China (ICBC) — said to be the world’s largest lender by assets — by compromising an unpatched box in Citrix Netscaler. The outage disrupted the banking giant’s ability to clear trades. According to Bloomberg on Tuesdaythe company has not yet returned to normal operations.

ICBC, which reportedly paid LockBit’s ransom demand, declined to respond to TechCrunch’s questions but said in a statement on its website that it “experienced a ransomware attack” that “resulted in the disruption of some systems.”

A representative of LockBit told Reuters on Monday that ICBC “paid a ransom – the deal was closed,” but provided no evidence for their claim. LockBit too told the malware research group vx-underground that ICBC paid a ransom, but declined to say how much.

Beaumont said in a post on Mastodon that Boeing also had an unpatched Citrix Netscaler system at the time of its LockBit breach, citing data from Shodan, a search engine for exposed databases and tools.

Boeing spokesman Jim Proulx previously told TechCrunch that the company was “aware of a cyber incident affecting elements of our parts and distribution business” but would not comment on LockBit’s alleged publication. of stolen data.

Allen & Overy, one of the world’s largest law firms, also ran an affected Citrix system at the time of its compromise, Beaumont said. LockBit has added Boeing and Allen & Overy to its dark web leak site, which is commonly used by ransomware gangs to extort victims by publishing files unless victims pay a ransom demand. A spokesman for Allen & Overy did not respond to a request for comment.

The Medusa ransomware gang also exploited CitrixBleed to compromise target organizations, said Beaumont.

“We expect CVE-2023-4966 to be one of the top frequently exploited vulnerabilities from 2023,” Rapid7’s head of vulnerability research Caitlin Condon told TechCrunch.

Leave a comment