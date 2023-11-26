A critical flaw in the software of Cisco Systems Inc., the company that pioneered remote access for people to work anywhere, has been exploited by government-backed hackers and criminal groups, according to a U.S. cyber official.

The flaw, called Citrix Bleed, was secretly exploited by hackers for several weeks before it was discovered and patched last month, according to a Citrix online post and cybersecurity researchers. Since then, researchers say hackers have stepped up exploitation of the bug, and have targeted some of the thousands of customers who have not applied the patch.

Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, said, “We know that a variety of malicious actors, including nation states and criminal groups, are focused on taking advantage of the Citrix Bleed vulnerability. Are concentrating.” , told Bloomberg News.

CISA is providing assistance to the victims, said Goldstein, who declined to identify them. He said adversaries could exploit the vulnerability to steal sensitive information and attempt to gain widespread network access.

Citrix did not respond to messages seeking comment.

Criminal groups exploiting the Citrix Bleed bug include Lockbit, one of the world’s most notorious hacking gangs, according to FS-ISAC, the global banking security association, which issued a security bulletin on Tuesday about the risk to financial institutions. Did.

The U.S. Treasury also said it is investigating whether Citrix vulnerabilities were responsible for the recent debilitating ransom hack against Industrial and Commercial Bank of China Ltd., according to a person familiar with the matter. The breach left the world’s largest bank unable to repay a large portion of US Treasury transactions. ICBC did not respond to a request for comment.

Lockbit claimed credit for the ICBC hack, and a representative for the gang said the bank paid the ransom, though Bloomberg was not able to independently verify the claim. The Wall Street Journal earlier reported the US Treasury note.

Citrix announced that it had discovered the Citrix Bleed bug on October 10 and released a patch. The company said at the time there was no indication that anyone had taken advantage of the vulnerability.

Since then, however, several Citrix customers have discovered that they were breached before the patch was released, according to a Citrix post and cybersecurity researchers. An early victim was a European government, according to a person familiar with the matter, who declined to name the country.

According to CISA, the Citrix bleed bug could allow a hacker to take control of a victim’s system. According to Unit 42, the cybersecurity company research arm of Palo Alto Networks Inc., the flaw got its nickname because it could leak sensitive information from a device’s memory. The leaked data may have included “session tokens” that can identify and authenticate a visitor to a specific website or service without entering a password.

Cybersecurity firm Mandiant began looking into this vulnerability after it was flagged by Citrix and eventually found several victims before the bug was made public or fixed in late August.

Charles Carmakal, chief technology officer of Mandiant’s consulting arm, told Bloomberg that those initial attacks were not financially motivated. Mandiant is still assessing whether those initial intrusions were conducted by a nation state, possibly China, for espionage purposes, he said.

Asked for comment, the Chinese Embassy in Washington did not address the Citrix vulnerability, instead referring to the Foreign Ministry’s Nov. 10 comments. “ICBC is monitoring this closely and has taken effective emergency response measures to minimize risk, impact and damage and is engaged in appropriate supervision and communication,” the ministry said.

Citrix updated its guidance on October 23 to recommend not only patching but also “closing all active and persistent sessions.”

Thousands of companies failed to update their Citrix software and take other actions that the company, CISA, and others immediately recommended. Palo Alto’s Unit 42 teams, which have also seen ransomware groups exploiting the bug, said in a Nov. 1 blog that at least 6,000 IP addresses appear to be vulnerable and the largest number of these devices are located in the U.S. , as well as Germany, China and the UK among others.

Grenoise, a company that analyzes scanning by IP address, reported that it has observed 335 unique IP addresses attempting to use the Citrix Bleed exploit since it began tracking it on October 17.

Lockbit is both the name of a gang and a type of ransomware they create. The FBI says it has been responsible for more than 1,700 attacks against the US since 2020.

Kevin Beaumont, a security researcher, said the exploitation of the Citrix flaw by Lockbit extended to multiple victims. Law firm Allen & Overy was breached through a Symantec flaw, he said in a post on Medium, and aviation giant Boeing Co. and port operator DP World Plc had unpatched Citrix devices, allowing hackers to potentially exploit the bug. Could take advantage of.

Beaumont described the flaw as “incredibly easy to exploit” and said, “The cybersecurity reality we live in right now is that teenagers are running into organized crime gangs with digital bazookas.”

Representatives from Allen & Overy, DP World and Boeing did not say whether the Citrix bug was exploited. A spokesperson said the Allen & Overy incident affected a small number of storage servers but core systems were not affected. An investigation into the breach affecting Boeing’s parts and delivery systems is ongoing, a spokeswoman said.

A representative of DP World said the company could provide limited details due to the ongoing nature of the investigation. Beaumont did not respond to a request for comment.

