Ransomware Is Loving Citrix Bleed

Boeing, 60 credit unions, and more, have been impacted

Blog Ransomware Is Loving Citrix Bleed

| 4 min read

Contact us

It's been a very productive end of year for cybercriminals targeting the Citrix Bleed vulnerability. It's quite a convenient flaw: By stealing the session cookie, gangs can gain access to systems with no need to find and steal login credentials. The latest news says that over 60 credit unions were forced offline as their one common provider was infected with ransomware. It's believed criminals leveraged Citrix Bleed to achieve this. This impactful incident reminds organizations all around the world how important it is to watch out for vulnerabilities in the technology supply chain. We tell you here about what's been happening recently with this security flaw, including that latest news.

About Citrix Bleed

Citrix Bleed (i.e., CVE-2023-4966) is one of the recent vulnerabilities that affect Citrix's NetScaler Application Delivery Controllers (ADC) and Gateway. NetScaler is a network device that provides load balancing, firewall and VPN services to optimize the delivery of applications over the Internet. ADC refers to features for load balancing and traffic management, and Gateway, to the VPN and authentication components. Citrix made its advisory public on October 10. But gangs have been exploiting the flaw since August. In a vulnerable device, they can retrieve session cookies and bypass password requirements and MFA to take over a user session and gain access to sensitive information.

Citrix developed patches and informed users. And so people should have the updated versions now. The implementation is ongoing, resulting in less devices at risk in the world, as the following chart from The ShadowServer Foundation shows. But even this does not stop massive hacks from happening.

"Number of devices with Citrix Bleed worldwide over time"

Number of devices with Citrix Bleed worldwide over time (source: dashboard.shadowserver.org)

Ransomware attacks involving Citrix Bleed

We had mentioned a notable breach related to the Citrix Bleed vulnerability last month in our blog. It was the attack to The Boeing Distribution Inc.'s systems by the Russia-linked ransomware gang LockBit. The result was a leak of 45 GB of the firm's data. The gang's use of Citrix Bleed earned a joint cybersecurity advisory by several U.S. agencies (among which are the CISA and the FBI) and an Australian security authority. Their advice was, of course, to update and isolate the NetScaler ADC and Gateway appliances.

Yet another giant hit by ransomware in November, possibly enabled by Citrix Bleed, was Toyota. This time, it was the Medusa ransomware gang who claimed responsibility for the breach. Moreover, by the end of the month the U.S. Health Sector Cybersecurity Coordination Center issued a warning to hospitals and healthcare facilities, as the NetScaler flaw is at the center of attacks causing outages in this industry.

The headlines by the start of December were marked by the supply chain attack with ransomware that disrupted the operation of more than 60 credit unions in the U.S. The root of this incident was that criminals gained access to unpatched NetScaler servers of an information technology services provider common to those credit unions.

Get started with Fluid Attacks' Security Testing solution right now

The National Credit Union Administration (NCUA), which insures and regulates the affected financial firms, confirmed the intrusion, number of affected orgs and cause. The services provider is the business analytics and talent services organization Trellance Cooperative Holdings Inc, which owns two further providers, whose names are Ongoing Operations LLC and Fedcomp. And it is believed that the ransomware attack, which went down on November 26, was likely possible thanks to the Citrix Bleed flaw. The impact was an outage of credit unions across the country, depending on Trellance to resolve the issue and get them back online.

What was the response of the IT provider after learning about the attack? Ongoing Operations LLC say they immediately began to investigate the incident and even brought in third-party specialists who would help them determine its scope and nature. Plus, they notified federal law enforcement. They informed all this to their customers along with the assurance that they had not found evidence that the attackers had misused the accessed information.

The NCUA learned fast about this incident. This kind of works as a reminder that the NCUA requires since September 1 that federally insured credit unions report such events no later than 72 hours after learning of them. This is while CISA publishes their final rule with the Cyber Incident Reporting Act’s requirements, for which the agency has a deadline in 2025. The Act also states the limit for notifying CISA would be 72 hours. Accordingly, the NCUA, reportedly, informed the Department of the Treasury, CISA and the FBI about the event.

The stunts of ransomware gangs leveraging Citrix Bleed don't end here. Cybersecurity researcher Kevin Beaumont has posted that HTC Global Services had not updated their NetScaler by the end of November and are now being held to extortion by the AlphV ransomware group. On their ransomware portal, they display stolen documents that are branded Caretech, a division of the managed service provider for the U.S. healthcare sector. And yet another victim of AlphV was Fidelity National Financial, which had patched NetScaler late. Without a doubt, Citrix Bleed needs to be dealt with now. That is: Organizations need to patch now!

Secure your supply chain

Spotting the risk of supply chain attacks is hard for organizations, as they are often unaware of the software they use. Taking preventive measures is the way to go. Finding out whether there's vulnerable software in use and how to solve that must be among everyone's top concerns right now. Furthermore, we advise, as always, that impacted companies never pay the ransom. One, they can't know for sure that the gang will keep their promises. And two, they would perpetuate the attacks. Instead, victims need to be thorough in their investigations and transparent and open when talking about the incidents.

Product developers: You have a big responsibility in your hands. The reason supply chain attacks happen in the first place is security holes in software. Secure it now. Scan it for vulnerabilities, test it in attack simulations and fix security problems as soon as possible, all of this constantly. Do not hesitate to ask us about our Continuous Hacking solution. You can just try it for free for 21 days and see for yourself how the overwhelming task of managing vulnerabilities turns into something you can have under control.

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Clay Banks on Unsplash

Protecting your PoS systems from cyber threats

Photo by Charles Etoroma on Unsplash

Top seven successful cyberattacks against this industry

Photo by Anima Visual on Unsplash

Challenges, threats, and best practices for retailers

Photo by photo nic on Unsplash

Be more secure by increasing trust in your software

Photo by Dmitry Ant on Unsplash

How it works and how it improves your security posture

Photo by The Average Tech Guy on Unsplash

Sophisticated web-based attacks and proactive measures

Photo by Randy Fath on Unsplash

The importance of API security in this app-driven world

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.