Jump to content
  • Sign Up
×
×
  • Create New...

Recommended Posts

  • Diamond Member

US government reinforces ICBC hack link to Citrix Bleed

The possibility that this was the case was first raised by security researcher and commentator Kevin Beaumont via social media website Mastodon

This is the hidden content, please
. Beaumont had posted evidence drawn from Shodan revealing that ICBC was running a Citrix NetScaler appliance that was not patched against CVE-2023-4966.

According to the

This is the hidden content, please
, which was first to report the latest development having reviewed the note, the Treasury told the industry that it was yet to fully establish that
This is the hidden content, please
, an information disclosure vulnerability, and a second bug tracked as CVE-2023-4967, a denial-of-service vulnerability, were the access vectors used by LockBit’s operatives. However, the authorities appear to be confident that this will be confirmed imminently.

This is the hidden content, please
, according to Reuters, the disruption to ICBC’s ability to do business was so extensive that employees were forced to move to proprietary webmail services, while the brokerage was also left temporarily indebted to investment bank BNY Mellon to the tune of $9bn.

Separately, an individual purporting to represent the interests of the LockBit cartel told the news agency

This is the hidden content, please
. The veracity of this claim has not been verified.

Should I worry about Citrix Bleed?

Commonly known as Citrix Bleed, zero-day exploitation of CVE-2023-4966 has been dated to the beginning of August, and it was added to CISA’s

This is the hidden content, please
(KEV) catalogue on 18 October, eight days after Citrix issued an update to patch it.

This is the hidden content, please
explained that when successfully exploited, an attacker can use CVE-2023-4966 to ******* existing authenticated sessions and bypass authentication measures, and worse still, these sessions can persist even if the Citrix patch has been deployed.

Its analysts have also observed session ********** in which session data was stolen before the patch was deployed, and thereafter used by an attacker.

Authenticated session ********** is a problem because it can lead to attackers gaining wider downstream access based on the permissions that identity or session had been given.

They can then steal additional credentials and start moving laterally through the victim’s network to escalate their privileges and ******** their ransomware payloads.

Mandiant said it has seen exploitation at professional services, technology and public sector organisations alike.

Exploitation of Citrix Bleed by a cyber ********* gang has not, at least to public knowledge, reached the same scale of activity seen after other critical compromises, such as that targeting a flaw in Progress Software’s MOVEit tool via which the Cl0op gang attacked over a thousand victims.

However, for those users who have yet to address the issue, time is now running critically short. Besides ICBC, Citrix Bleed is now thought to be behind the LockBit ******* on Boeing,

This is the hidden content, please
, and an ******* on a prominent US law firm. 

“NetScaler ADC is like a baton-waving traffic conductor for your online applications,” said Paul Brucciani, cyber security advisor at

This is the hidden content, please
. “It helps manage all the incoming user traffic, making sure it gets to the right application quickly and safely. NetScaler Gateway is like a nightclub bouncer that controls the single point of entry to your work applications.

“The vulnerability provides access to remote desktop applications and data protected behind organisations’ firewalls without generating any alerts or logs,” he said. “That’s already serious.

“It has been estimated that 75% of all internet traffic passes through Citrix NetScaler every day, which means that any vulnerability found within these appliances would put immense power into the hands of the attacker. That is why … it was rated as a critical vulnerability, scoring 9.4 out of 10.”

Considering why a ******* fuss of Citrix Bleed wasn’t made as soon as it was discovered, Brucciani said security teams – particularly those at large enterprises – were already struggling under the weight of thousands of other issues.

“Only 2% of vulnerabilities are exploited for malicious purposes, and not even banks have the resources to patch every vulnerability immediately, so which ones do you prioritise? Even if you make the right call, patching isn’t easy, especially for large organisations like ICBC operating complex IT systems that, assuming every vulnerable asset has been identified, cannot easily be taken offline for patching,” he said.

What is vulnerable?

This is the hidden content, please
, the following members of the NetScaler family are vulnerable to Citrix Bleed.

  • NetScaler ADC and NetScaler Gateway 14.1 up to 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 up to 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 up to 13.0-92.19
  • NetScaler ADC 13.1-FIPS up to 13.1-37.164
  • NetScaler ADC 12.1-FIPS up to 12.1-55.300
  • NetScaler ADC 12.1-NDcPP up to 12.1-55.300

Note additionally that NetScaler ADC and Gateway version 12.1, which has reached end-of-life, is also vulnerable. However, customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are covered.



This is the hidden content, please

#government #reinforces #ICBC #hack #link #Citrix #Bleed

This is the hidden content, please

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.