Security researchers say hackers are mass-exploiting a critical-rated vulnerability in Citrix NetScaler systems to launch crippling cyberattacks against big-name organizations worldwide.
These cyberattacks have so far included aerospace giant Boeing; the world’s biggest bank, ICBC; one of the world’s largest port operators, DP World; and international law firm Allen & Overy, according to reports.
Thousands of other organizations remain unpatched against the vulnerability, tracked officially as CVE-2023-4966 and dubbed “CitrixBleed.” The majority of affected systems are located in North America, according to nonprofit threat tracker Shadowserver Foundation. The U.S. government’s cybersecurity agency CISA has also sounded the alarm in an advisory urging federal agencies to patch against the actively exploited flaw.
Here’s what we know so far.
What is CitrixBleed?
On October 10, network equipment maker Citrix disclosed the vulnerability affecting on-premise versions of its NetScaler ADC and NetScaler Gateway platforms, which large enterprises and governments use for application delivery and VPN connectivity.
The flaw is described as a sensitive information disclosure vulnerability that allows remote unauthenticated attackers to extract large amounts of data from a vulnerable Citrix device’s memory, including sensitive session tokens (hence the name “CitrixBleed”). The bug requires little effort or complexity to exploit, allowing hackers to hijack and use legitimate session tokens to compromise a victim’s network without needing a password or using two-factor.
Citrix released patches, but a week later on October 17 updated its advisory to advise that it had observed exploitation in the wild.
Early victims included professional services, technology and government organizations, according to incident response giant Mandiant, which said it began investigating after discovering “multiple instances of successful exploitation” as early as late-August before Citrix made patches available.
Robert Knapp, head of incident response at cybersecurity firm Rapid7 — which also began investigating the bug after detecting potential exploitation of the bug in a customer’s network — said the company has also observed attackers targeting organizations across healthcare, manufacturing and retail.
“Rapid7 incident responders have observed both lateral movement and data access in the course of our investigations,” said Knapp, suggesting hackers are able to gain broader access to victims’ network and data after initial compromise.
Big-name victims
Cybersecurity company ReliaQuest said last week it has evidence that at least four threat groups — which it did not name — are leveraging CitrixBleed, with at least one group automating the attack process.
One of the threat actors is believed to be the Russia-linked LockBit ransomware gang, which has already claimed responsibility for several large-scale breaches believed to be associated with CitrixBleed.
Security researcher Kevin Beaumont wrote in a blog post Tuesday that the LockBit gang last week hacked into the U.S. branch of Industrial and Commercial Bank of China (ICBC) — said to be the world’s largest lender by assets — by compromising an unpatched Citrix Netscaler box. The outage disrupted the banking giant’s ability to clear trades. According to Bloomberg on Tuesday, the firm has yet to restore normal operations.
ICBC, which reportedly paid LockBit’s ransom demand, declined to answer TechCrunch’s questions but said in a statement on its website that it “experienced a ransomware attack” that “resulted in disruption to certain systems.”
A LockBit representative told Reuters on Monday that ICBC “paid a ransom — deal closed,” but did not provide evidence of their claim. LockBit also told malware research group vx-underground that ICBC paid a ransom, but declined to say how much.
Beaumont said in a post on Mastodon that Boeing also had an unpatched Citrix Netscaler system at the time of its LockBit breach, citing data from Shodan, a search engine for exposed databases and devices.
Boeing spokesperson Jim Proulx previously told TechCrunch that the company is “aware of a cyber incident impacting elements of our parts and distribution business” but would not comment on LockBit’s alleged publication of stolen data.
Allen & Overy, one of the world’s largest law firms, was also running an affected Citrix system at the time of its compromise, Beaumont noted. LockBit added both Boeing and Allen & Overy to its dark web leak site, which ransomware gangs typically use to extort victims by publishing files unless the victims pay a ransom demand.
Allen & Overy spokesperson Debbie Spitz confirmed the law firm experienced a “data incident” and said it was “assessing exactly what data has been impacted, and we are informing affected clients.”
The Medusa ransomware gang is also exploiting CitrixBleed to compromise targeted organizations, said Beaumont.
“We would expect CVE-2023-4966 to be one of the top routinely exploited vulnerabilities from 2023,” Rapid7’s head of vulnerability research Caitlin Condon told TechCrunch.