Topics
Latest
AI
Amazon
Image Credits:Javier Zayas Photography / Getty Images
Apps
Biotech & Health
mood
Image Credits:Javier Zayas Photography / Getty Images
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
Hardware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
security department
Social
Space
inauguration
TikTok
Transportation
speculation
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
touch Us
Citrix customers urged to patch as ransomware gang takes credit for hacking big-name firms
security department research worker say hackers are deal - exploiting a critical - fink exposure in Citrix NetScaler systems to launch crippling cyberattacks against big - name organizations worldwide .
These cyberattackshave so far let in aerospace giant Boeing ; the world ’s big depository financial institution , ICBC ; one of the world ’s largest embrasure operators , DP World ; and international law firm Allen & Overy , grant to report card .
K of other organizations continue unpatched against the vulnerability , tracked officially asCVE-2023 - 4966and dubbed “ CitrixBleed . ” The majority of move system are located in North America , according tononprofit scourge tracker Shadowserver Foundation . The U.S. authorities ’s cybersecurity agency CISA has also voice the alarmin an advisory urge on federal agencies to patchagainst the actively overwork fault .
Here ’s what we know so far .
What is CitrixBleed?
On October 10 , mesh equipment maker Citrix disclosed the exposure affecting on - assumption version of its NetScaler ADC and NetScaler Gateway program , which large go-ahead and political science utilise for program obstetrical delivery and VPN connectivity .
The flaw is described as a sensitive information disclosure exposure that allows distant unauthenticated attackers to extract large measure of data from a vulnerable Citrix machine ’s memory board , including sensitive session tokens ( hence the name “ CitrixBleed ” ) . The bug require little effort or complexity to exploit , allow for hacker to pirate and use legitimate session item to compromise a dupe ’s web without needing a password or using two - factor .
Citrix released patch , but a workweek later on October 17 updated its advisory to advise that it had keep exploitation in the wild .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
other victims included professional services , technology and government organization , according to incident response hulk Mandiant , which state it began investigate after reveal “ multiple example of successful exploitation ” as early as tardy - August before Citrix made plot useable .
Robert Knapp , head of incident reply at cybersecurity business firm Rapid7 — which alsobegan investigating the bugafter detecting potential victimization of the bug in a customer ’s internet — read the company has also observed attackers targeting organizations across health care , manufacturing and retail .
“ Rapid7 incident answerer have observed both sidelong movement and data memory access in the course of our investigation , ” articulate Knapp , suggesting drudge are able-bodied to gain broader approach to dupe ’ internet and data after initial compromise .
Big-name victims
Cybersecurity company ReliaQuest saidlast weekit has grounds that at least four terror groups — which it did not name — are leverage CitrixBleed , with at least one group automatize the attack procedure .
One of the threat actor is believed to be theRussia - tie LockBit ransomware crew , which has already claimed obligation for several declamatory - plate breaches believe to be connect with CitrixBleed .
security department researcherKevin Beaumont wrote in a blog postTuesday that the LockBit gang last week hacked into the U.S. branch of Industrial and Commercial Bank of China ( ICBC ) — said to be the world ’s large lender by assets — by compromise an unpatched Citrix Netscaler corner . The outage disrupted the banking behemoth ’s power to clear trades . According to Bloomberg on Tuesday , the firm has yet to restore normal operations .
ICBC , which reportedly pay LockBit ’s ransom money need , decline to answer TechCrunch ’s question but said in a argument on its web site that it “ experienced a ransomware attack ” that “ resulted in hurly burly to sealed organisation . ”
A LockBit representativetold Reuters on Mondaythat ICBC “ paid a ransom money — mass closed , ” but did not supply grounds of their claim . LockBit alsotold malware research group vx - undergroundthat ICBC paid a ransom money , but declined to say how much .
Lockbit ransomware grouping administrative stave claim ICBC has already paid the ransom demand.pic.twitter.com/5gXDlebLuX
— vx - underground ( @vxunderground)November 14 , 2023
Beaumontsaid in a post on Mastodonthat Boeing also had an unpatched Citrix Netscaler system at the clip of its LockBit rift , citing data from Shodan , a lookup engine for reveal database and devices .
Boeing spokesperson Jim Proulx antecedently told TechCrunch that the company is “ aware of a cyber incident impacting component of our voice and statistical distribution business ” but would not gloss on LockBit ’s so-called issue of stolen datum .
Allen & Overy , one of the world ’s enceinte jurisprudence house , was also running an bear on Citrix organization at the time of its compromise , Beaumont observe . LockBit added both Boeing and Allen & Overy to its dark web leak site , which ransomware mob typically habituate to extort victims by publish files unlessthe dupe pay a ransom requirement .
Allen & Overy spokesperson Debbie Spitz confirmed the police force firm experienced a “ data incident ” and say it was “ assessing precisely what data has been bear upon , and we are informing bear upon clients . ”
The Medusa ransomware gang is also exploiting CitrixBleed to compromise targeted organisation , said Beaumont .
“ We would expect CVE-2023 - 4966 to be one of the top routinely exploited vulnerability from 2023 , ” Rapid7 ’s head of exposure inquiry Caitlin Condon tell TechCrunch .
Hackers overwork Citrix zero - mean solar day to place US critical base
