Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label NetScaler. Show all posts

China's Biggest Lender ICBC Hit by Ransomware

 

Citrix disclosed a critical vulnerability in its NetScaler technology last month, which may have contributed to this week's disruptive ransomware attack on the world's largest bank, the PRC's Industrial and Commercial Bank of China (ICBC). The incident emphasises the importance for businesses, if they haven't already, to patch against the threat promptly. 

Numerous on-premises Citrix NetScaler ADC and NetScaler Gateway application delivery platforms are impacted by the so-called "CitrixBleed" vulnerability (CVE-2023-4966). 

According to the CVSS 3.1 severity scale, the vulnerability allows attackers the ability to gain control of user sessions and steal private data, with a score of 9.4 out of a possible 10. Citrix has stated that there is no user interaction required, low attack complexity, and remote exploitability linked with the vulnerability.

A few weeks prior to Citrix releasing updated versions of the impacted software on October 10, mass CitrixBleed Exploitation Threat actors had been actively utilising the vulnerability since August. Organisations are also strongly advised to end all active sessions on each impacted NetScaler device by Mandiant researchers who found and reported the flaw to Citrix.

Exploitation of Mass Citrix Bleeding

Before Citrix released updated versions of the compromised software on October 10, threat actors had been actively exploiting the vulnerability since August. Due to the possibility that authenticated sessions may continue after the update, Mandiant researchers who found and notified Citrix of the vulnerability have also strongly advised that organisations end all active sessions on each impacted NetScaler device. 

One clear public instance of the exploit activity is the ransomware attack on the US branch of the state-owned ICBC. The bank said that some of its systems were disrupted by a ransomware attack that occurred on November 8 in a statement earlier this week. The Financial Times and other media outlets cited sources who told them that the attackers were LockBit ransomware operators.

On November 6, security researcher Kevin Beaumont identified one possible attack vector for the LockBit actors: an unpatched Citrix NetScaler at the ICBC box. 

"As of writing this toot, over 5,000 orgs still haven't patched #CitrixBleed," Beaumont stated. "It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs — it gives attackers a fully interactive Remote Desktop PC [on] the other end." 

Recent weeks have seen an increase in the mass exploitation of attacks against unmitigated NetScaler devices. At least part of the activity has been spurred by publicly available technical details of the flaw. 

At least four organised threat groups are reportedly focusing on the vulnerability, according to a ReliaQuest report this week. A group of them has automated CitrixBleed exploitation. In the short time between November 7 and November 9, ReliaQuest reported seeing "multiple unique customer incidents featuring Citrix Bleed exploitation". 

CISA issues CitrixBleed guidance

The exploit activity compelled the US Cybersecurity and Infrastructure Security Agency (CISA) to publish new CitrixBleed threat guidance and resources this week. CISA issued a warning about "active, targeted exploitation" of the bug, urging organisations to "update unmitigated appliances to the updated versions" released by Citrix last month.

The vulnerability is a buffer overflow issue that allows sensitive information to be disclosed. It affects NetScaler on-premises versions when configured as an Authentication, Authorization, and Accounting (AAA) or gateway device such as a VPN virtual server, ICA, or RDP Proxy.

Citrix Bleed Bug Delivers Sharp Blow: Vulnerability is Now Under "Mass Exploitation"

Citrix Bleed Bug

Citrix Bleed Bug: A Critical Vulnerability in Widespread Use

Despite the fact that a patch has been available for three weeks, ransomware hackers are exploiting a vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using Citrix hardware. 

What exactly is Citrix Bleed?

CVE-2023-4966, which exists in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, has been actively exploited since August. The vulnerability has a severity rating of 9.4 out of a possible 10, which is quite high for a simple information-disclosure fault. 

According to some estimates, 20,000 smartphones have already been compromised. The reason for this is that the information released may contain session tokens, which are assigned by the hardware to devices that have previously successfully provided credentials, including those delivering MFA

Attacks on the rise

Attacks have just lately increased, forcing security researcher Kevin Beaumont to write on Saturday, "This vulnerability is now under mass exploitation." He went on to describe the situation as follows: "From talking to multiple organizations, they are seeing widespread exploitation."

He stated that as of Saturday, he has discovered an estimated 20,000 instances of compromised Citrix machines with stolen session tokens. He stated that his estimate was based on establishing a honeypot of servers disguised as susceptible Netscaler devices to track opportunistic Internet attacks. Beaumont then compared the results to other data sources, such as Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security firm that also uses honeypots, was reporting CVE-2023-4966 attacks coming from 135 IP addresses. This is a 27-fold rise from the five IPs discovered by GreyNoise five days earlier.

Easy to exploit vulnerabilities 

According to the most recent data from security firm Shadowserver, there were approximately 5,500 unpatched machines. Beaumont has admitted that the amount contradicts his previous estimate of 20,000 affected devices. It's unclear what was causing the disparity.

The vulnerability is reasonably simple to exploit for experienced users. A simple reverse-engineering of the Citrix patch reveals the vulnerable methods, and it's not difficult to develop code that exploits them from there. A number of proof-of-concept exploits are available online, making attacks considerably easier.

What next? What should companies do to be safe?

Citrix Bleed is similar to Heartbleed, another major information leak vulnerability that rocked the Internet in 2014. This weakness, which was found in the OpenSSL code library, was widely exploited, allowing the theft of passwords, encryption keys, banking credentials, and other sensitive information. Citrix Bleed is less severe because fewer vulnerable devices are in operation.

Citrix Bleed, on the other hand, is still quite awful. All Netscaler devices should be considered hacked by organizations. This involves patching any unpatched devices that remain. Then, all credentials should be rotated to guarantee that any potentially leaked session tokens are expired. Mandiant, a security firm, provides comprehensive security advice here.