(Bloomberg) — A critical flaw in the software of Citrix Systems Inc., a company that pioneered remote access so people can work from anywhere, has been exploited by government-backed hackers and criminal groups, according to a U.S. cyber official.
Most read from Bloomberg
The flaw, called Citrix Bleed, was secretly exploited by hackers for weeks before it was discovered and a fix was released last month, according to online posts from Citrix and cybersecurity researchers. Since then, researchers say hackers have accelerated their exploitation of the bug, targeting some of the thousands of customers who haven’t applied a patch.
“We are aware that a wide variety of malicious actors, including both nation-states and criminal groups, are focused on exploiting the Citrix Bleed vulnerability,” said Eric Goldstein, executive assistant director for cybersecurity at U.S. Cybersecurity and Infrastructure Security Agency, known as CISA. , told Bloomberg News.
CISA is providing assistance to victims, said Goldstein, who declined to identify them. Adversaries could exploit the vulnerability to steal sensitive information and try to gain broader network access, he said.
Citrix did not respond to messages seeking comment.
Among the criminal groups exploiting the Citrix Bleed bug is one of the world’s most notorious hacking gangs, LockBit, according to a global banking security consortium, the FS-ISAC, which issued a security bulletin on Tuesday on the risk to financial institutions.
The U.S. Treasury Department also said it is investigating whether vulnerabilities in Citrix are responsible for the recent debilitating ransom hack against the Industrial & Commercial Bank of China Ltd., according to a person familiar with the matter. The breach prevented the world’s largest bank from settling a large portion of U.S. government bond transactions. ICBC did not respond to a request for comment.
Read more: The world’s largest bank must trade via USB stick after hack
LockBit claimed credit for the ICBC hack and a representative of the gang said the bank had paid a ransom, although Bloomberg could not independently confirm the claim. The Wall Street Journal previously reported on the US Treasury bill.
Citrix announced on October 10 that it had discovered the Citrix Bleed bug and released a patch. The company said there was no sign at the time that anyone had exploited the vulnerability.
However, several Citrix customers have since discovered that they were breached before the patch was issued, according to a Citrix post and cybersecurity researchers. One of the first victims was a European government, according to a person familiar with the matter, who declined to name the country.
According to CISA, the Citrix Bleed bug could allow a hacker to take control of a victim’s system. The flaw was nicknamed because it can leak sensitive information from a device’s memory, according to Palo Alto Networks Inc.’s research division, Unit 42. The leaked data could include “session tokens” that can identify and authenticate a visitor. visit a specific website or service without entering a password.
Read more: Ransomware Gang LockBit is reviewing its tactics as payouts drop
Cybersecurity firm Mandiant began investigating the vulnerability after Citrix noticed it and ultimately found multiple victims from before the bug was publicly disclosed or had a fix, dating back to late August.
Charles Carmakal, chief technology officer at Mandiant’s consulting division, told Bloomberg that these initial attacks did not appear to be financially motivated. Mandiant is still investigating whether these early intrusions were carried out for espionage purposes by a nation state, possibly China, he said.
Asked for comment, the Chinese embassy in Washington did not elaborate on the Citrix vulnerability, instead referring to the November 10 comments from the Ministry of Foreign Affairs. “ICBC is monitoring this closely and has taken effective emergency measures and engaged in proper monitoring and communication to minimize risk, impact and damage,” the ministry said.
Citrix updated its guidelines on October 23, not only recommending patches but also “terminating all active and persistent sessions.”
Thousands of companies have failed to update their Citrix software and take other actions that the company, CISA and others have urged. Palo Alto’s Unit 42 teams, which have also observed ransomware groups exploiting the bug, said in a Nov. 1 blog that at least 6,000 IP addresses appeared vulnerable and that the largest number of these devices are in the U.S., as well as others in Germany, China and Great Britain.
GreyNoise, an IP address scanning analytics company, reported that 335 unique IP addresses have attempted to use the Citrix Bleed exploit since it started tracking it on October 17.
LockBit is both the name of a gang and the type of ransomware it has produced. The FBI says it is responsible for more than 1,700 attacks against the US since 2020.
A security researcher, Kevin Beaumont, said LockBit’s exploitation of the Citrix flaw extends to multiple victims. The law firm Allen & Overy was hacked via the Citrix flaw, he said in a post on Medium, and the aerospace giant Boeing Co. and port operator DP World Plc had left Citrix devices unpatched, potentially allowing hackers to exploit the bug.
Read more: Hacking Gang Lockbit Posts About Boeing Data on Location
Beaumont described the flaw as “incredibly easy to exploit” and added: “The cyber security reality we live in now is teenagers running around in organized crime gangs with digital bazookas.”
Representatives from Allen & Overy, DP World and Boeing did not comment on whether the Citrix bug was being exploited. The incident at Allen & Overy affected a small number of storage servers, but core systems were not affected, a spokesperson said. The breach of Boeing’s parts and distribution system remains under investigation, a spokesperson said.
A DP World representative said the company is limited in the details it can provide due to the ongoing nature of the investigation. Beaumont did not respond to a request for comment.
–With help from Julie Johnsson.
Most read from Bloomberg Businessweek
©2023 Bloomberg LP
