(Bloomberg) — A critical flaw in software from Citrix Systems Inc., a company that pioneered remote access so people can work from anywhere, has been exploited by government-backed hackers and criminal groups, according to a U.S. cyber official.
The flaw, called Citrix Bleed, was secretly exploited by hackers for weeks before it was discovered, and a fix was issued last month, according to Citrix online posts and cybersecurity researchers. Since then, researchers say hackers have accelerated their exploitation of the flaw, targeting some of the thousands of customers who haven’t applied a patch.
“We are aware that a wide range of malicious actors, including both nation-states and criminal groups, are focused on exploiting the Citrix Bleed vulnerability,” Eric Goldstein, executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency, known as CISA, told Bloomberg News.
CISA is providing assistance to the victims, said Goldstein, who declined to identify them. Adversaries could exploit the vulnerability to steal sensitive information and try to gain broader network access, he said.
Citrix did not respond to messages seeking comment.
Among the criminal groups exploiting the Citrix Bleed flaw is one of the world’s most notorious hacking gangs, LockBit, according to a global bank security consortium, FS-ISAC, which on Tuesday issued a security bulletin on the risk to financial institutions.
The U.S. Treasury Department has also said it is investigating whether Citrix vulnerabilities are responsible for the recent crippling ransom hack against Industrial & Commercial Bank of China Ltd., according to a person familiar with the matter. The breach left the world’s largest bank unable to clear parts of US financial transactions. ICBC did not respond to a request for comment.
Read more: The world’s largest bank must trade via USB stick after hack
LockBit claimed credit for the ICBC hack, and a representative of the gang said the bank paid a ransom, though Bloomberg was unable to independently confirm the claim. The Wall Street Journal has previously reported the US Treasury bond.
Citrix announced that it had discovered the Citrix Bleed flaw on October 10 and issued a patch. The company said there was no evidence at the time that anyone had exploited the vulnerability.
Since then, however, several Citrix customers discovered they were breached before the patch was issued, according to a Citrix post and cybersecurity researchers. An early victim was a European government, according to a person familiar with the matter, who declined to name the country.
The Citrix Bleed flaw could allow an attacker to take control of a victim’s system, according to CISA. The flaw got its nickname because it can leak sensitive information from a device’s memory, according to Palo Alto Networks Inc.’s cybersecurity business research arm, Unit 42. The leaked data may include “session tokens” that can identify and authenticate a visitor to a particular website or service without entering a password.
Read More: Ransomware Gang LockBit Revises Its Tactics As Payouts Slip
Cybersecurity firm Mandiant began investigating the vulnerability when Citrix flagged it and ultimately found more victims from before the bug had been made public or received a fix, dating back to late August.
Charles Carmakal, chief technology officer at Mandiant’s consulting division, told Bloomberg that these initial attacks did not appear to be financially motivated. Mandiant is still assessing whether those early incursions were carried out for espionage purposes by a nation state, possibly China, he said.
When asked for comment, the Chinese Embassy in Washington did not address the Citrix vulnerability, instead referring to comments from the State Department on November 10. “ICBC is following this closely and has taken effective emergency response measures and engaged in proper monitoring and communication to minimize risk, impact and damage,” the ministry said.
Citrix updated its guidance on October 23, recommending not just patching, but “killing all active and persistent sessions.”
Thousands of companies failed to update their Citrix software and take other actions that the company, CISA and others have urged. Palo Alto’s Unit 42 team, which has also observed ransomware groups exploiting the flaw, said in a Nov. 1 blog that at least 6,000 IP addresses appeared vulnerable, and that the largest number of those devices are located in the United States as well like others in Germany, China and Great Britain.
GreyNoise, a company that analyzes scanning for IP addresses, reported that it has seen 335 unique IP addresses attempting to use the Citrix Bleed exploit since it began tracking it on October 17.
LockBit is both the name of a gang and a type of ransomware it produced. The FBI says it is responsible for more than 1,700 attacks against the United States since 2020.
A security researcher, Kevin Beaumont, said LockBit’s exploitation of the Citrix flaw extends to multiple victims. Law firm Allen & Overy was breached via the Citrix bug, he said in a post on Medium, and aerospace giant Boeing Co. and port operator DP World Plc had unpatched Citrix devices, allowing hackers to potentially exploit the flaw.
Read more: Hacking gang Lockbit sends what it says is Boeing data on site
Beaumont described the flaw as “incredibly easy to exploit” and added: “The cyber security reality we live in now is teenagers running around organized crime gangs with digital bazookas.”
Representatives for Allen & Overy, DP World and Boeing did not comment on whether the Citrix flaw was exploited. The incident at Allen & Overy affected a small number of storage servers, but core systems have not been affected, a spokesman said. The breach, affecting Boeing’s parts and distribution system, remains under investigation, a spokesman said.
A representative for DP World said the company is limited in the details it could provide due to the ongoing nature of the investigation. Beaumont did not respond to a request for comment.
–With assistance from Julie Johnsson.
©2023 Bloomberg LP