‘CitrixBleed’ Linked to Ransomware Hit on China’s State-Owned Bank

'CitrixBleed' Linked to Ransomware Hit on China's State-Owned Bank

The disruptive ransomware attack on the world’s largest bank this week, the PRC’s Industrial and Commercial Bank of China (ICBC), may be tied to a critical vulnerability that Citrix disclosed in its NetScaler technology last month. The situation highlights why organizations need to immediately patch against the threat if they haven’t done so already.

The so-called “CitrixBleed” vulnerability (CVE-2023-4966) affects multiple on-premises versions of Citrix NetScaler ADC and NetScaler Gateway application delivery platforms.

The vulnerability has a severity score of 9.4 out of a maximum possible 10 on the CVSS 3.1 scale, and gives attackers a way to steal sensitive information and hijack user sessions. Citrix has described the flaw as remotely exploitable and involving low attack complexity, no special privileges, and no user interaction.

Mass CitrixBleed Exploitation

Threat actors have been actively exploiting the flaw since August — several weeks before Citrix issued updated versions of affected software on Oct. 10. Researchers at Mandiant who discovered and reported the flaw to Citrix have also strongly recommended that organizations terminate all active sessions on each affected NetScaler device because of the potential for authenticated sessions to persist even after the update.

The ransomware attack on the US arm of the state-owned ICBC appears to be one public manifestation of the exploit activity. In a statement earlier this week, the bank disclosed that it had experienced a ransomware attack on Nov. 8 that disrupted some of its systems. The Financial Times and other outlets quoted sources as informing them about LockBit ransomware operators as being behind the attack.

Security researcher Kevin Beaumont pointed to an unpatched Citrix NetScaler at ICBC box on Nov. 6 as one potential attack vector for the LockBit actors.

“As of writing this toot, over 5,000 orgs still haven’t patched #CitrixBleed,” Beaumont said. “It allows complete, easy bypass of all forms of authentication and is being exploited by ransomware groups. It is as simple as pointing and clicking your way inside orgs — it gives attackers a fully interactive Remote Desktop PC [on] the other end.”

Attacks on unmitigated NetScaler devices have assumed mass exploitation status in recent weeks. Publicly available technical details of the flaw has fueled at least some of the activity.

A report from ReliaQuest this week indicated that at least four organized threat groups are currently targeting the flaw. One of the groups has automated exploitation of CitrixBleed. ReliaQuest reported observing “multiple unique customer incidents featuring Citrix Bleed exploitation” just between Nov. 7 and Nov. 9.

“ReliaQuest has identified multiple cases in customer environments in which threat actors have used the Citrix Bleed exploit,” ReliaQuest said. “Having gained initial access, the adversaries quickly enumerated the environment, with a focus on speed over stealth,” the company noted. In some incidents the attackers exfiltrated data and in others they appear to have attempted to deploy ransomware, ReliaQuest said.

Latest data from Internet traffic analysis firm GreyNoise shows attempts to exploit CitrixBleed from at least 51 unique IP addresses — down from around 70 in late October.

CISA Issues Guidance on CitrixBleed

The exploit activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue fresh guidance and resources this week on addressing the CitrixBleed threat. CISA warned of “active, targeted exploitation” of the bug in urging organizations to “update unmitigated appliances to the updated versions” that Citrix released last month.

The vulnerability itself is a buffer overflow issue that enables sensitive information disclosure. It affects on-premises versions of NetScaler when configured as an Authentication, Authorization, and Accounting (AAA) or as a gateway device such as a VPN virtual server or an ICA or RDP Proxy.