Shutter2U - stock.adobe.com
US government reinforces ICBC hack link to Citrix Bleed
US Treasury adds weight to reports that a ransomware gang gained access to the systems of Chinese bank ICBC by exploiting a critical Citrix flaw
The United States Treasury has written to financial services industry leaders and trade bodies reinforcing earlier speculation that a ransomware attack on the systems of the Industrial and Commercial Bank of China (ICBC) began through exploitation of vulnerabilities in the Citrix NetScaler product family.
The possibility that this was the case was first raised by security researcher and commentator Kevin Beaumont via social media website Mastodon on Thursday 9 November. Beaumont had posted evidence drawn from Shodan revealing that ICBC was running a Citrix NetScaler appliance that was not patched against CVE-2023-4966.
According to the Wall Street Journal, which was first to report the latest development having reviewed the note, the Treasury told the industry that it was yet to fully establish that CVE-2023-4966, an information disclosure vulnerability, and a second bug tracked as CVE-2023-4967, a denial-of-service vulnerability, were the access vectors used by LockBit’s operatives. However, the authorities appear to be confident that this will be confirmed imminently.
In the wake of last week’s attack, according to Reuters, the disruption to ICBC’s ability to do business was so extensive that employees were forced to move to proprietary webmail services, while the brokerage was also left temporarily indebted to investment bank BNY Mellon to the tune of $9bn.
Separately, an individual purporting to represent the interests of the LockBit cartel told the news agency that ICBC has paid a ransom. The veracity of this claim has not been verified.
Should I worry about Citrix Bleed?
Commonly known as Citrix Bleed, zero-day exploitation of CVE-2023-4966 has been dated to the beginning of August, and it was added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue on 18 October, eight days after Citrix issued an update to patch it.
Mandiant researchers explained that when successfully exploited, an attacker can use CVE-2023-4966 to hijack existing authenticated sessions and bypass authentication measures, and worse still, these sessions can persist even if the Citrix patch has been deployed.
Its analysts have also observed session hijacking in which session data was stolen before the patch was deployed, and thereafter used by an attacker.
Authenticated session hijacking is a problem because it can lead to attackers gaining wider downstream access based on the permissions that identity or session had been given.
They can then steal additional credentials and start moving laterally through the victim’s network to escalate their privileges and execute their ransomware payloads.
Mandiant said it has seen exploitation at professional services, technology and public sector organisations alike.
Exploitation of Citrix Bleed by a cyber criminal gang has not, at least to public knowledge, reached the same scale of activity seen after other critical compromises, such as that targeting a flaw in Progress Software’s MOVEit tool via which the Cl0op gang attacked over a thousand victims.
Read more about Citrix Bleed
- Exploitation against CVE-2023-4966 is ongoing, and Mandiant CTO Charles Carmakal warned patching alone is insufficient against potential attacks that leverage MFA bypass techniques.
- Observed activity exploiting two new Citrix NetScaler vulnerabilities disclosed earlier this month is ramping up, and users may be running out of time to patch lest they be attacked.
- The financial services arm of one of the world’s largest banks was taken offline by a supposed LockBit ransomware attack, causing problems for US markets.
However, for those users who have yet to address the issue, time is now running critically short. Besides ICBC, Citrix Bleed is now thought to be behind the LockBit attack on Boeing, from which stolen data has now been published, and an attack on a prominent US law firm.
“NetScaler ADC is like a baton-waving traffic conductor for your online applications,” said Paul Brucciani, cyber security advisor at WithSecure. “It helps manage all the incoming user traffic, making sure it gets to the right application quickly and safely. NetScaler Gateway is like a nightclub bouncer that controls the single point of entry to your work applications.
“The vulnerability provides access to remote desktop applications and data protected behind organisations’ firewalls without generating any alerts or logs,” he said. “That’s already serious.
“It has been estimated that 75% of all internet traffic passes through Citrix NetScaler every day, which means that any vulnerability found within these appliances would put immense power into the hands of the attacker. That is why … it was rated as a critical vulnerability, scoring 9.4 out of 10.”
Considering why a bigger fuss of Citrix Bleed wasn’t made as soon as it was discovered, Brucciani said security teams – particularly those at large enterprises – were already struggling under the weight of thousands of other issues.
“Only 2% of vulnerabilities are exploited for malicious purposes, and not even banks have the resources to patch every vulnerability immediately, so which ones do you prioritise? Even if you make the right call, patching isn’t easy, especially for large organisations like ICBC operating complex IT systems that, assuming every vulnerable asset has been identified, cannot easily be taken offline for patching,” he said.
What is vulnerable?
According to Citrix, the following members of the NetScaler family are vulnerable to Citrix Bleed.
- NetScaler ADC and NetScaler Gateway 14.1 up to 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 up to 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 up to 13.0-92.19
- NetScaler ADC 13.1-FIPS up to 13.1-37.164
- NetScaler ADC 12.1-FIPS up to 12.1-55.300
- NetScaler ADC 12.1-NDcPP up to 12.1-55.300
Note additionally that NetScaler ADC and Gateway version 12.1, which has reached end-of-life, is also vulnerable. However, customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are covered.