Citrix – CyberSecurity Confabulation

To Xfinity’s Breach and Beyond – The Fallout from “CitrixBleed”

Posted 9 months ago by cyberinsiders

On December 18, 2023, Comcast Xfinity filed a notice to the Attorney General of Maine disclosing an exploited vulnerability in one of Xfinity’s software providers, Citrix, that has jeopardized almost 36 million customers’ sensitive information. While the vulnerability was made in August of 2023, the telecommunications solutions provider announced patches in October, but it already had mass exploitation weeks after the patch was reported.

Kiran Chinnagangannagari, CTO, CPO & co-founder, Securin, shares how a vulnerability like this causes so much damage.

“CVE-2023-4966, more commonly known as “CitrixBleed,” is a vulnerability within the Citrix NetScaler ADC and Gateway software that could allow a cyber bad actor to take control of an affected system,” Chinnagangannagari elaborated.

He went on to say that “At the time of the patch release, Citrix had no evidence of the vulnerability being exploited in the wild. However, Securin observed exploitation just a week later, including ransomware groups LockBit and Medusa leveraging this vulnerability. Securin also observed mentions of this vulnerability in deep, dark web and hacker forums.”

“Vulnerabilities within commonly used software are extremely dangerous because they can be replicated across other companies that might not have patched it either, which we have seen in the case of CitrixBleed, as it is being linked to many incidents in 2023, including Boeing, ICBC, DP World, Allen & Overy, and thousands of other organizations. These big-name victims emphasize ransomware gangs’ ongoing commitment to crippling and disrupting operations that could affect the security of everyday people and even U.S. critical infrastructures.”

“While large-scale companies have been facing ever-evolving and continuous threats to their cybersecurity, it’s important to remember that these vulnerabilities are all too common and risk exploiting data like names, contact information, the last four digits of social security numbers, dates of birth, and answers to secret questions on the site. This particular vulnerability leaks the content of system memory to the attacker, allowing the attacker to impersonate a different authenticated user. This exploit poses a grave threat to system security and user integrity, emphasizing the critical need for immediate attention and remediation. CWE-119 is the weakness associated with this vulnerability and Securin is tracking 14,231 additional vulnerabilities associated with this weakness with quite a few of them being exploited by ransomware and APT groups.”

Chinnagangannagari implores companies to look for ways to mitigate risk.

“Companies must look at leveraging a framework like Continuous Threat Exposure Management (CTEM) to prioritize and mitigate risks. In addition to multi-factor authentication (MFA), cybersecurity teams must implement and update basic security practices with routine scans of their attack surface, consolidating third-party applications, updating access controls, systems, and routine updates to complex passwords.”

The post To Xfinity’s Breach and Beyond – The Fallout from “CitrixBleed” appeared first on Cybersecurity Insiders.

World’s biggest bank hit by ransomware, forced to trade via USB stick

Posted 10 months ago by Graham Cluley

The US trading arm of the Industrial and Commercial Bank of China (ICBC) has been hit by a ransomware attack that reportedly forced it to handle trades via messengers carrying USB thumb drives across Manhattan. Read more in my article on the Hot for Security blog.

Citrix servers hacked because of a vulnerability

Posted 1 year ago by Naveen Goud

Several cyber criminals recently targeted Citrix NetScaler ADC and Gateway Servers through a vulnerability identified as CVE-2023-3519, which holds a high CVSS score of 9.8. The flaw allowed for remote code injection, potentially leading to unauthorized access.

The breach was discovered by the diligent efforts of the Shadowserver Foundation, a non-profit organization renowned for its expertise in gathering and analyzing data related to malicious online activities. They have been providing daily network reports to their subscribers, including government and law enforcement agencies.

Citrix is actively investigating the incident, and at this stage, the extent of the impact on affected servers remains unclear. The company has committed to revealing more details about the breach in the coming weekend.

Security analysts from the Shadowserver Foundation have noticed that a significant number of targeted IP addresses are located in countries such as France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. They estimate that around 15,000 accounts could be at risk.

It is interesting to note that the vulnerability was previously disclosed by US-CERT in the early weeks of July, and Citrix took measures to address the issue. However, it seems that not all users were prompt in applying the fix, leaving them vulnerable to exploitation, particularly in the western region.

As of now, Citrix has not attributed the attack to any specific threat actor. However, there are speculations that the breach could be the work of a state-funded hacker, given the scale and sophistication of the attack. According to unofficial estimates, approximately 640 Citrix servers have been compromised with web shells.

The situation is being closely monitored, and it is essential for Citrix users to update their systems promptly with the provided patches to safeguard against potential threats. Further information will likely be released after the completion of Citrix’s investigation.

The post Citrix servers hacked because of a vulnerability appeared first on Cybersecurity Insiders.