According to Kevin Beaumont, a freelance security researcher, Some other notable victims of cybersecurity breaches include DP World, the Australian branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and Allen & Overy, a multinational law firm.
These four companies have recently admitted to being struck with at least one security incident. Also, China’s ICBC has allegedly paid an undisclosed amount of ransom to retrieve their encryption keys for data that remained unavailable since the breach.
Beaumont stated the four businesses are among the ten victims he is aware of that are presently being blackmailed by LockBit, one of the most active and destructive ransomware crime syndicates in the world, citing data that allows the tracking of ransomware operators and those familiar with the breaches. Despite a fix being available since October 10, Beaumont claimed that all four of the organizations had yet to apply it to a critical vulnerability. The companies used the networking solution Citrix Netscaler.
With a 9.4 severity rating out of 10, CitrixBleed is an easy-to-exploit vulnerability that reveals session tokens that can be used to negate any multifactor authentication mechanisms inside a vulnerable network. Within the affected victim’s internal network, attackers are left with the equivalent of a point-and-click desktop PC and are free to move around.
In his post, Beaumont wrote:
Ransomware groups are often staffed by almost all teenagers and haven’t been taken seriously for far too long as a threat. They are a threat to civil society as long as organizations keep paying.
Focusing on cybersecurity fundamentals for enterprise-scale organizations is a challenge, as often people are chasing after the perceived next big thing—metaverse (remember that?), NFTs, generative AI—without being able to do the fundamentals well. Large-scale enterprises need to be able to patch vulnerabilities like CitrixBleed quickly.
The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas. They probably have a better asset inventory of your network than you, and they don’t have to wait 4 weeks for 38 people to approve a change request for patching 1 thing.
Know your network boundary and risky products as well as LockBit do. You need to be able to identify and patch something like CitrixBleed within 24 hours—if you cannot, there is a very real possibility it isn’t the ideal product fit for your organization due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose.
Vendors like Citrix need to have clear statements of intent for securing their products, as piling on patch after patch after patch is not sustainable for many organizations—or customers should opt with their wallets for more proven solutions. The reality is many vendors are shipping appliance products with cybersecurity standards worse than when I started my career in the late ’90s—while also advertising themselves as the experts. Marketing is a hell of a drug.
Beaumont further highlighted query results from the Shodan search service, which showed that at the time of the intrusion, none of the four firms had installed a CitrixBleed patch. The CVE-2023-4966 vulnerability is being monitored.
The researcher additionally condemned Citrix for Netscaler’s logging features, which he claimed made it practically impossible for consumers to determine whether they had been hacked. Because of this, it is possible that some users of the CitrixBleed patch were unaware that LockBit was already present on their networks.
However, Boeing refused to comment on the post.
In the case of Citric and Allen& Overy, the emails sent were left unanswered when the post reached Arstechnica. The tech forum further notes that requests for comment from DP World and ICBC were also not immediately followed.
LockBit uses tools like Atera, which offers interactive PowerShell interfaces without triggering antivirus or endpoint detection alerts, to escalate its access to other parts of the compromised network after the CitrixBleed exploit first provides remote access through Virtual Desktop Infrastructure software. This access persists until administrators take specific steps, even after CitrixBleed is patched.