According to reports, the largest bank in the world, ICBC, one of the biggest port operators in the world, DP World, the aerospace behemoth Boeing, and the worldwide law firm Allen & Overy have all been targets of these hacks thus far. Many thousands of more companies still not protected against the vulnerability, formally known as “CitrixBleed” and tracked as CVE-2023-4966. The charity threat tracking organization Shadowserver Foundation reports that most impacted systems found in North America.
The cybersecurity agency of the United States government, CISA, also issued a warning, advising federal agencies to apply patches to address the vulnerability that actively exploited.
This is what we currently know.
What is CitrixBleed?
Citrix, a manufacturer of network equipment, revealed the vulnerability on October 10. It affects the on-premise versions of its NetScaler ADC and NetScaler Gateway systems, which used by governments and major companies for VPN connection and application delivery.
The vulnerability, dubbed “CitrixBleed,” defined as a sensitive information disclosure vulnerability that lets remote, unauthenticated attackers get a significant quantity of data, including sensitive session tokens, from the memory of a Citrix device that is susceptible. Without requiring a password or two-factor authentication, hackers may infiltrate a victim’s network by hijacking and utilizing valid session tokens, all thanks to a weakness that is easy to exploit.
Citrix issued updates, but on October 17, a week later, it revised its alert to note that it has seen instances of exploitation in the wild. According to incident response behemoth Mandiant, which said it started looking into after finding “multiple instances of successful exploitation” as early as late August before Citrix made fixes available, the first victims included government agencies, professional services, and technology. Rapid7, a cybersecurity company that started looking into the flaw after seeing possible exploitation in a customer’s network, has also noticed attackers targeting businesses in the industrial, retail, and healthcare industries, according to Robert Knapp, head of incident response at Rapid7.
According to Knapp, “Rapid7 incident responders have observed both lateral movement and data access in the course of our investigations,” indicating that after an initial penetration, hackers may access victims’ networks and data more broadly.
Well-known victims
Last week, the cybersecurity firm ReliaQuest said that it had proof that at least four threat groups—all of which it did not identify—were using CitrixBleed, with one of them automating the attack procedure.
The Russia-affiliated LockBit ransomware group thought to one of the threat actors; it already acknowledged behind a number of significant breaches tied to CitrixBleed.
Also Read:- Elon Musk Expresses Regret for Missing Visit by India’s Commerce
