Ransomware Is Loving Citrix Bleed

Citrix Bleed (i.e., CVE-2023-4966) is one of the recent vulnerabilities that affect Citrix's NetScaler Application Delivery Controllers (ADC) and Gateway. NetScaler is a network device that provides load balancing, firewall and VPN services to optimize the delivery of applications over the Internet. ADC refers to features for load balancing and traffic management, and Gateway, to the VPN and authentication components. Citrix made its advisory public on October 10. But gangs have been exploiting the flaw since August. In a vulnerable device, they can retrieve session cookies and bypass password requirements and MFA to take over a user session and gain access to sensitive information.

We had mentioned a notable breach related to the Citrix Bleed vulnerability last month in our blog. It was the attack to The Boeing Distribution Inc.'s systems by the Russia-linked ransomware gang LockBit. The result was a leak of 45 GB of the firm's data. The gang's use of Citrix Bleed earned a joint cybersecurity advisory by several U.S. agencies (among which are the CISA and the FBI) and an Australian security authority. Their advice was, of course, to update and isolate the NetScaler ADC and Gateway appliances.

Yet another giant hit by ransomware in November, possibly enabled by Citrix Bleed, was Toyota. This time, it was the Medusa ransomware gang who claimed responsibility for the breach. Moreover, by the end of the month the U.S. Health Sector Cybersecurity Coordination Center issued a warning to hospitals and healthcare facilities, as the NetScaler flaw is at the center of attacks causing outages in this industry.

The headlines by the start of December were marked by the supply chain attack with ransomware that disrupted the operation of more than 60 credit unions in the U.S. The root of this incident was that criminals gained access to unpatched NetScaler servers of an information technology services provider common to those credit unions.

The National Credit Union Administration (NCUA), which insures and regulates the affected financial firms, confirmed the intrusion, number of affected orgs and cause. The services provider is the business analytics and talent services organization Trellance Cooperative Holdings Inc, which owns two further providers, whose names are Ongoing Operations LLC and Fedcomp. And it is believed that the ransomware attack, which went down on November 26, was likely possible thanks to the Citrix Bleed flaw. The impact was an outage of credit unions across the country, depending on Trellance to resolve the issue and get them back online.

The NCUA learned fast about this incident. This kind of works as a reminder that the NCUA requires since September 1 that federally insured credit unions report such events no later than 72 hours after learning of them. This is while CISA publishes their final rule with the Cyber Incident Reporting Act’s requirements, for which the agency has a deadline in 2025. The Act also states the limit for notifying CISA would be 72 hours. Accordingly, the NCUA, reportedly, informed the Department of the Treasury, CISA and the FBI about the event.

The stunts of ransomware gangs leveraging Citrix Bleed don't end here. Cybersecurity researcher Kevin Beaumont has posted that HTC Global Services had not updated their NetScaler by the end of November and are now being held to extortion by the AlphV ransomware group. On their ransomware portal, they display stolen documents that are branded Caretech, a division of the managed service provider for the U.S. healthcare sector. And yet another victim of AlphV was Fidelity National Financial, which had patched NetScaler late. Without a doubt, Citrix Bleed needs to be dealt with now. That is: Organizations need to patch now!

Spotting the risk of supply chain attacks is hard for organizations, as they are often unaware of the software they use. Taking preventive measures is the way to go. Finding out whether there's vulnerable software in use and how to solve that must be among everyone's top concerns right now. Furthermore, we advise, as always, that impacted companies never pay the ransom. One, they can't know for sure that the gang will keep their promises. And two, they would perpetuate the attacks. Instead, victims need to be thorough in their investigations and transparent and open when talking about the incidents.

Product developers: You have a big responsibility in your hands. The reason supply chain attacks happen in the first place is security holes in software. Secure it now. Scan it for vulnerabilities, test it in attack simulations and fix security problems as soon as possible, all of this constantly. Do not hesitate to ask us about our Continuous Hacking solution. You can just try it for free for 21 days and see for yourself how the overwhelming task of managing vulnerabilities turns into something you can have under control.