Citrix Security Breach: Hackers Taking Advantage of Flaw Despite Fix!
According to a US cyber official, government-backed hackers and criminal groups have taken advantage of a significant vulnerability in software developed by Citrix Systems Inc., a company known for pioneering remote access technology that enables individuals to work from any location.
The flaw, dubbed Citrix Bleed, was exploited by hackers for weeks before it was discovered, and a fix was released last month, according to Citrix online publications and cybersecurity researchers. Since then, researchers say hackers have accelerated exploitation of the flaw, targeting thousands of customers who haven’t installed the patch.
“We are aware that many malicious actors, including nation-states and criminal groups, are focused on exploiting the Citrix Bleed vulnerability,” said Eric Goldstein, deputy director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency (CISA). , reported Bloomberg News.
CISA is providing assistance to victims, said Goldstein, who declined to identify them. Adversaries could exploit the vulnerability to steal sensitive data and try to gain wider access to the network, he said.
Citrix did not respond to messages seeking comment.
Among the criminal groups exploiting the Citrix Bleed bug is one of the world’s most notorious hacking groups, LockBit, according to the global bank security consortium FS-ISAC, which on Tuesday published a security bulletin on the risks posed to financial institutions.
The U.S. Treasury Department has also said it is looking into whether Citrix vulnerabilities are to blame for the recent debilitating ransom hack against Industrial & Commercial Bank of China Ltd, according to a person familiar with the matter. Because of the breach, the world’s largest bank was unable to clear the US Treasury’s trades. ICBC did not respond to a request for comment.
LockBit claimed credit for hacking ICBC, and a representative for the gang said the bank paid the ransom, though Bloomberg could not independently confirm the claim. The Wall Street Journal previously reported on the US Treasury note.
On October 10, Citrix announced that it had discovered the Citrix Bleed bug and issued a patch. According to the company, at that time there were no signs that anyone had exploited the vulnerability.
However, since then, several Citrix customers have discovered they were breached before the patch was released, according to a Citrix post and cybersecurity researchers. One early victim was a European government, according to a person familiar with the matter, who declined to name the country.
According to CISA, the Citrix Bleed flaw could allow a hacker to take control of a victim’s system. The flaw earned its nickname because it can leak sensitive data from a device’s memory, according to Unit 42, the research arm of cybersecurity firm Palo Alto Networks Inc. The leaked data may contain “session tokens” that can identify and authenticate a visitor to a particular website or service without a password.
Cybersecurity firm Mandiant began investigating the vulnerability after Citrix reported it and eventually found several victims before the bug was publicized or patched in late August.
Charles Carmakal, chief technology officer of Mandiant’s consulting division, told Bloomberg that those first attacks did not appear to be financially motivated. Mandiant is still evaluating whether a nation-state, possibly China, conducted these early intrusions for espionage purposes.
Reached for comment, the Chinese Embassy in Washington did not comment on the Citrix vulnerability, but instead referred to the State Department’s Nov. 10 comments. “ICBC is closely monitoring this and has taken effective emergency measures and engaged in appropriate monitoring and communication to minimize risk, impact and damage,” the ministry said.
Citrix updated its guidance on October 23, recommending “killing all active and persistent sessions” in addition to the fix.
Thousands of companies failed to update their Citrix software and take other steps urgently recommended by the company, CISA and others. Palo Alto’s Unit 42 teams, which have also spotted ransomware groups exploiting the bug, said in a blog post on Nov. 1 that at least 6,000 IP addresses appeared to be vulnerable, and that most of these devices were located in the United States, with others in Germany, China and the United Kingdom .
GreyNoise, a company that analyzes scanning based on IP addresses, reported seeing 335 unique IP addresses attempting to use the Citrix Bleed exploit since it began tracking it on October 17th.
LockBit is both the name of the gang and the type of ransomware it produces. The FBI says it is responsible for more than 1,700 attacks on the United States since 2020.
Security researcher Kevin Beaumont said LockBit’s exploitation of the Citrix flaw extends to multiple victims. Law firm Allen & Overy was breached through a Citrix bug, he said in a Medium post, and aerospace giant Boeing Co. and port operator DP World Plc had unpatched Citrix devices that could potentially allow hackers to exploit the flaw.
Beaumont described the flaw as “incredibly easy to exploit” and added: “The cyber security reality we live in now is that teenagers are running around in organized crime groups with digital singles.”
Representatives for Allen & Overy, DP World and Boeing did not address whether the Citrix flaw was exploited. A small number of storage servers were affected by the Allen & Overy incident, but core systems have not been affected, the spokesperson said. The breach affecting Boeing’s parts and distribution system remains under investigation, the spokesman said.
A DP World representative said the company has limited details it can provide due to the ongoing nature of the investigation. Beaumont did not respond to a request for comment.