{"id":2032,"date":"2023-11-10T18:59:00","date_gmt":"2023-11-10T18:59:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/ransomware-hit-china-owned-bank-citrixbleed-flaw"},"modified":"2023-11-10T18:59:00","modified_gmt":"2023-11-10T18:59:00","slug":"citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/11\/10\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank\/","title":{"rendered":"&#8216;CitrixBleed&#8217; Linked to Ransomware Hit on China&#8217;s State-Owned Bank"},"content":{"rendered":"<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?w=640&#038;ssl=1\"><\/p>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank-1.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p>The disruptive <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/treasury-markets-disrupted-from-icbc-ransomware-attack\" target=\"_blank\" rel=\"noopener\">ransomware attack on the world&#8217;s largest bank this week<\/a>, the PRC&#8217;s Industrial and Commercial Bank of China (ICBC), may be tied to a critical vulnerability that <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/critical-citrix-bug-exploited-zero-day-patching-not-enough\" target=\"_blank\" rel=\"noopener\">Citrix disclosed in its NetScaler technology last month.<\/a> The situation highlights why organizations need to immediately patch against the threat if they haven&#8217;t done so already.<\/p>\n<p>The so-called &#8220;CitrixBleed&#8221; vulnerability (<a href=\"https:\/\/support.citrix.com\/article\/CTX579459\/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967\" target=\"_blank\" rel=\"noopener\">CVE-2023-4966<\/a>) affects multiple on-premises versions of Citrix NetScaler ADC and NetScaler Gateway application delivery platforms.<\/p>\n<p>The vulnerability has a severity score of 9.4 out of a maximum possible 10 on the CVSS 3.1 scale, and gives attackers a way to steal sensitive information and hijack user sessions. <span>Citrix has described the flaw as remotely exploitable and involving low attack complexity, no special privileges, and no user interaction.<\/span><\/p>\n<h2 class=\"regular-text\">Mass CitrixBleed Exploitation<\/h2>\n<p>Threat actors have been actively exploiting the flaw since August \u2014 several weeks before Citrix issued updated versions of affected software on Oct. 10. Researchers at Mandiant who discovered and reported the flaw to Citrix have also strongly recommended that organizations <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/remediation-netscaler-adc-gateway-cve-2023-4966\" target=\"_blank\" rel=\"noopener\">terminate all active sessions<\/a> on each affected NetScaler device because of the potential for authenticated sessions to persist even after the update.<\/p>\n<p>The ransomware attack on the US arm of the state-owned ICBC appears to be one public manifestation of the exploit activity. In a <a href=\"http:\/\/www.icbcfs.com\/\" target=\"_blank\" rel=\"noopener\">statement<\/a> earlier this week, the bank disclosed that it had experienced a ransomware attack on Nov. 8 that disrupted some of its systems. The <a href=\"https:\/\/www.ft.com\/content\/8dd2446b-c8da-4854-9edc-bf841069ccb8\" target=\"_blank\" rel=\"noopener\">Financial Times<\/a> and other outlets quoted sources as informing them about LockBit ransomware operators as being behind the attack.<\/p>\n<p>Security researcher <a href=\"https:\/\/cyberplace.social\/@GossiTheDog\/111382220085861321\" target=\"_blank\" rel=\"noopener\">Kevin Beaumont pointed to an unpatched Citrix NetScaler at ICBC<\/a> box on Nov. 6 as one potential attack vector for the LockBit actors.<\/p>\n<p>&#8220;As of writing this toot, over 5,000 orgs still haven&#8217;t patched <a href=\"https:\/\/cyberplace.social\/tags\/CitrixBleed\" target=\"_blank\" rel=\"noopener\">#CitrixBleed<\/a>,&#8221; Beaumont said. &#8220;It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs \u2014 it gives attackers a fully interactive Remote Desktop PC [on] the other end.&#8221;<\/p>\n<p>Attacks on unmitigated NetScaler devices have assumed <a href=\"https:\/\/doublepulsar.com\/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18\" target=\"_blank\" rel=\"noopener\">mass exploitation<\/a> status in recent weeks. Publicly available <a href=\"https:\/\/www.assetnote.io\/resources\/research\/citrix-bleed-leaking-session-tokens-with-cve-2023-4966\" target=\"_blank\" rel=\"noopener\">technical details<\/a> of the flaw has fueled at least some of the activity.<\/p>\n<p>A report from <a href=\"https:\/\/www.reliaquest.com\/blog\/citrix-bleed-vulnerability-background-and-recommendations\/\" target=\"_blank\" rel=\"noopener\">ReliaQuest this week indicated that at least four organized threat groups<\/a> are currently targeting the flaw. One of the groups has automated exploitation of CitrixBleed. ReliaQuest reported observing &#8220;multiple unique customer incidents featuring Citrix Bleed exploitation&#8221; just between Nov. 7 and Nov. 9.<\/p>\n<p>&#8220;ReliaQuest has identified multiple cases in customer environments in which threat actors have used the Citrix Bleed exploit,&#8221; ReliaQuest said. &#8220;Having gained initial access, the adversaries quickly enumerated the environment, with a focus on speed over stealth,\u201d the company noted. In some incidents the attackers exfiltrated data and in others they appear to have attempted to deploy ransomware, ReliaQuest said.<\/p>\n<p>Latest data from Internet traffic analysis firm GreyNoise shows attempts to exploit CitrixBleed from at least <a href=\"https:\/\/viz.greynoise.io\/tag\/citrix-adc-netscaler-cve-2023-4966-information-disclosure-attempt?days=3&amp;_ga=2.129493196.1920464198.1699634566-1490330292.1699634565\" target=\"_blank\" rel=\"noopener\">51 unique IP addresses<\/a> \u2014 down from around 70 in late October.<\/p>\n<h2 class=\"regular-text\">CISA Issues Guidance on CitrixBleed<\/h2>\n<p>The exploit activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue <a href=\"https:\/\/www.cisa.gov\/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed\" target=\"_blank\" rel=\"noopener\">fresh guidance<\/a> and resources this week on addressing the CitrixBleed threat. CISA warned of &#8220;active, targeted exploitation&#8221; of the bug in urging organizations to &#8220;update unmitigated appliances to the updated versions&#8221; that Citrix released last month.<\/p>\n<p>The vulnerability itself is a buffer overflow issue that enables sensitive information disclosure. It affects on-premises versions of NetScaler when configured as an Authentication, Authorization, and Accounting (AAA) or as a gateway device such as a VPN virtual server or an ICA or RDP Proxy.<\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/ransomware-hit-china-owned-bank-citrixbleed-flaw\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The disruptive ransomware attack on the world&#8217;s largest bank this<\/p>\n","protected":false},"author":12,"featured_media":2033,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2032","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?fit=125%2C125&ssl=1",125,125,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?resize=125%2C125&ssl=1",125,125,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?fit=125%2C125&ssl=1",125,125,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?fit=125%2C125&ssl=1",125,125,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?fit=125%2C125&ssl=1",125,125,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?fit=125%2C125&ssl=1",125,125,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?fit=125%2C125&ssl=1",125,125,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?fit=125%2C125&ssl=1",125,125,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?resize=125%2C125&ssl=1",125,125,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?resize=125%2C125&ssl=1",125,125,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/citrixbleed-linked-to-ransomware-hit-on-chinas-state-owned-bank.jpg?fit=125%2C125&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2032"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2032\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2033"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}