Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Citrix Bleed Bug. Show all posts

AHA, Federals Urge Healthcare Ogranizations to Minimize Citrix Bleed Vulnerability

Citrix Vulnerability

Healthcare departments under threat

The alert from the Department of Health and Human Services Health Sector Cybersecurity Coordination Center on Nov. 30 and the AHA warning on Friday come amid an outbreak of ransomware attacks alleged to involve Citrix Bleed exploitation that has hit companies in the healthcare and other sectors in recent weeks. This blog will cover the threats and everything related to the Citrix Bleed flaw.

CySecurity News had already reported on a Citrix bleed bug delivering sharp blows earlier in November 2023.

"HC3 strongly recommends companies to make improvements to prevent additional harm against the healthcare and public health sector," alerted the Department of Health and Human Services.

High severity Citrix Bleed Vulnerability

According to John Riggi, AHA's national adviser for cybersecurity and risk, the urgency of HHS's alert "confirms the gravity" of the Citrix Bleed vulnerability and the urgent requirement to install existing Citrix patches and upgrades to secure healthcare IT systems.

Google’s Mandiant report in October “identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023. Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements. 

These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment and subsequently used by a threat actor, the report further added.

Foreign ransomware groups involved

Riggi said in a statement that this instance further shows the severity by which foreign ransomware groups, mainly Russian-speaking groups, continues targeting hospitals and health organizations. Ransomware threats interrupt and disrupt the delivery of healthcare, jeopardizing patients' lives. We must be attentive and strengthen our cyber security, as hackers will undoubtedly continue to target the field, particularly over the holiday season, he further added.

Rise in attacks during the holiday season?

NetScaler released an advisory on the flaw in October and then again in late November, citing reports of "a rapid spike in attempts" to take advantage of the vulnerability in unfixed NetScaler ADCs.

The AHA cautioned that exploiting the vulnerability allows hackers to evade password constraints and multifactor authentication mechanisms.

According to HHS HC3, the vulnerability has been routinely exploited since August. Citrix issued a patch for the vulnerability in early October, but the firm warned that compromised sessions would remain active after the patch was applied.

HC3 encourages all administrators to upgrade their devices according to NetScaler's instructions and to erase or "kill" any active or permanent connections with particular commands.

Also read: NetScaler's report to know full details about Citrix Bleed Threat.


Ransomware Surge: 2023 Cyber Threats

In the constantly changing field of cybersecurity, 2023 has seen an increase in ransomware assaults, with important industries like healthcare, finance, and even mortgage services falling prey to sophisticated cyber threats.

According to recent reports, a ransomware outbreak is aimed against critical services like schools, hospitals, and mortgage lenders. These attacks have far-reaching consequences that go well beyond the digital sphere, producing anxiety and disturbances in the real world. The state of affairs has sparked worries about the weaknesses in our networked digital infrastructure.

A concerning event occurred at Fidelity National Financial when a ransomware debacle shocked homeowners and prospective purchasers. In addition to compromising private financial information, the hack caused fear in those who deal in real estate. This incident highlights the extensive effects of ransomware and the necessity of strong cybersecurity protocols in the financial industry.

Widespread technology vulnerabilities have also been exposed, with the Citrix Bleed Bug garnering media attention. The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings due to the growing damage caused by this cybersecurity vulnerability. The growing dependence of businesses and organizations on digital platforms presents a significant risk to data security and integrity due to the potential for exploiting vulnerabilities.

On the legislative front, the National Defense Authoration Act (NDAA) looms large in the cybersecurity discourse. As the specter of cyber threats continues to grow, policymakers are grappling with the need to bolster the nation's defenses against such attacks. The imminent NDAA is expected to address key issues related to cybersecurity, aiming to enhance the country's ability to thwart and respond to cyber threats effectively.

The healthcare sector has not been immune to these cyber onslaughts, as evidenced by the Ardent Hospital cyberattack. This incident exposed vulnerabilities in the healthcare system, raising questions about the sector's preparedness to safeguard sensitive patient information. With the increasing digitization of medical records and critical healthcare infrastructure, the need for stringent cybersecurity measures in the healthcare industry has never been more pressing.

The ransomware landscape in 2023 is characterized by a concerning surge in attacks across various critical sectors. From financial institutions to healthcare providers, the vulnerabilities in our digital infrastructure are being ruthlessly exploited. As the world grapples with the fallout of these cyber threats, the importance of proactive cybersecurity measures and robust legislative frameworks cannot be overstated. The events of 2023 serve as a stark reminder that the battle against ransomware is an ongoing and evolving challenge that requires collective and decisive action.



China's Biggest Lender ICBC Hit by Ransomware

 

Citrix disclosed a critical vulnerability in its NetScaler technology last month, which may have contributed to this week's disruptive ransomware attack on the world's largest bank, the PRC's Industrial and Commercial Bank of China (ICBC). The incident emphasises the importance for businesses, if they haven't already, to patch against the threat promptly. 

Numerous on-premises Citrix NetScaler ADC and NetScaler Gateway application delivery platforms are impacted by the so-called "CitrixBleed" vulnerability (CVE-2023-4966). 

According to the CVSS 3.1 severity scale, the vulnerability allows attackers the ability to gain control of user sessions and steal private data, with a score of 9.4 out of a possible 10. Citrix has stated that there is no user interaction required, low attack complexity, and remote exploitability linked with the vulnerability.

A few weeks prior to Citrix releasing updated versions of the impacted software on October 10, mass CitrixBleed Exploitation Threat actors had been actively utilising the vulnerability since August. Organisations are also strongly advised to end all active sessions on each impacted NetScaler device by Mandiant researchers who found and reported the flaw to Citrix.

Exploitation of Mass Citrix Bleeding

Before Citrix released updated versions of the compromised software on October 10, threat actors had been actively exploiting the vulnerability since August. Due to the possibility that authenticated sessions may continue after the update, Mandiant researchers who found and notified Citrix of the vulnerability have also strongly advised that organisations end all active sessions on each impacted NetScaler device. 

One clear public instance of the exploit activity is the ransomware attack on the US branch of the state-owned ICBC. The bank said that some of its systems were disrupted by a ransomware attack that occurred on November 8 in a statement earlier this week. The Financial Times and other media outlets cited sources who told them that the attackers were LockBit ransomware operators.

On November 6, security researcher Kevin Beaumont identified one possible attack vector for the LockBit actors: an unpatched Citrix NetScaler at the ICBC box. 

"As of writing this toot, over 5,000 orgs still haven't patched #CitrixBleed," Beaumont stated. "It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs — it gives attackers a fully interactive Remote Desktop PC [on] the other end." 

Recent weeks have seen an increase in the mass exploitation of attacks against unmitigated NetScaler devices. At least part of the activity has been spurred by publicly available technical details of the flaw. 

At least four organised threat groups are reportedly focusing on the vulnerability, according to a ReliaQuest report this week. A group of them has automated CitrixBleed exploitation. In the short time between November 7 and November 9, ReliaQuest reported seeing "multiple unique customer incidents featuring Citrix Bleed exploitation". 

CISA issues CitrixBleed guidance

The exploit activity compelled the US Cybersecurity and Infrastructure Security Agency (CISA) to publish new CitrixBleed threat guidance and resources this week. CISA issued a warning about "active, targeted exploitation" of the bug, urging organisations to "update unmitigated appliances to the updated versions" released by Citrix last month.

The vulnerability is a buffer overflow issue that allows sensitive information to be disclosed. It affects NetScaler on-premises versions when configured as an Authentication, Authorization, and Accounting (AAA) or gateway device such as a VPN virtual server, ICA, or RDP Proxy.

Citrix Bleed Bug Delivers Sharp Blow: Vulnerability is Now Under "Mass Exploitation"

Citrix Bleed Bug

Citrix Bleed Bug: A Critical Vulnerability in Widespread Use

Despite the fact that a patch has been available for three weeks, ransomware hackers are exploiting a vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using Citrix hardware. 

What exactly is Citrix Bleed?

CVE-2023-4966, which exists in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, has been actively exploited since August. The vulnerability has a severity rating of 9.4 out of a possible 10, which is quite high for a simple information-disclosure fault. 

According to some estimates, 20,000 smartphones have already been compromised. The reason for this is that the information released may contain session tokens, which are assigned by the hardware to devices that have previously successfully provided credentials, including those delivering MFA

Attacks on the rise

Attacks have just lately increased, forcing security researcher Kevin Beaumont to write on Saturday, "This vulnerability is now under mass exploitation." He went on to describe the situation as follows: "From talking to multiple organizations, they are seeing widespread exploitation."

He stated that as of Saturday, he has discovered an estimated 20,000 instances of compromised Citrix machines with stolen session tokens. He stated that his estimate was based on establishing a honeypot of servers disguised as susceptible Netscaler devices to track opportunistic Internet attacks. Beaumont then compared the results to other data sources, such as Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security firm that also uses honeypots, was reporting CVE-2023-4966 attacks coming from 135 IP addresses. This is a 27-fold rise from the five IPs discovered by GreyNoise five days earlier.

Easy to exploit vulnerabilities 

According to the most recent data from security firm Shadowserver, there were approximately 5,500 unpatched machines. Beaumont has admitted that the amount contradicts his previous estimate of 20,000 affected devices. It's unclear what was causing the disparity.

The vulnerability is reasonably simple to exploit for experienced users. A simple reverse-engineering of the Citrix patch reveals the vulnerable methods, and it's not difficult to develop code that exploits them from there. A number of proof-of-concept exploits are available online, making attacks considerably easier.

What next? What should companies do to be safe?

Citrix Bleed is similar to Heartbleed, another major information leak vulnerability that rocked the Internet in 2014. This weakness, which was found in the OpenSSL code library, was widely exploited, allowing the theft of passwords, encryption keys, banking credentials, and other sensitive information. Citrix Bleed is less severe because fewer vulnerable devices are in operation.

Citrix Bleed, on the other hand, is still quite awful. All Netscaler devices should be considered hacked by organizations. This involves patching any unpatched devices that remain. Then, all credentials should be rotated to guarantee that any potentially leaked session tokens are expired. Mandiant, a security firm, provides comprehensive security advice here.