US government reinforces ICBC hack link to Citrix Bleed
The possibility that this was the case was first raised by security researcher and commentator Kevin Beaumont via social media website Mastodon on Thursday 9 November. Beaumont had posted evidence drawn from Shodan revealing that ICBC was running a Citrix NetScaler appliance that was not patched against CVE-2023-4966.
According to the Wall Street Journal, which was first to report the latest development having reviewed the note, the Treasury told the industry that it was yet to fully establish that CVE-2023-4966, an information disclosure vulnerability, and a second bug tracked as CVE-2023-4967, a denial-of-service vulnerability, were the access vectors used by LockBit’s operatives. However, the authorities appear to be confident that this will be confirmed imminently.
In the wake of last week’s attack, according to Reuters, the disruption to ICBC’s ability to do business was so extensive that employees were forced to move to proprietary webmail services, while the brokerage was also left temporarily indebted to investment bank BNY Mellon to the tune of $9bn.
Separately, an individual purporting to represent the interests of the LockBit cartel told the news agency that ICBC has paid a ransom. The veracity of this claim has not been verified.
Should I worry about Citrix Bleed?
Commonly known as Citrix Bleed, zero-day exploitation of CVE-2023-4966 has been dated to the beginning of August, and it was added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue on 18 October, eight days after Citrix issued an update to patch it.
Mandiant researchers explained that when successfully exploited, an attacker can use CVE-2023-4966 to hijack existing authenticated sessions and bypass authentication measures, and worse still, these sessions can persist even if the Citrix patch has been deployed.
Its analysts have also observed session hijacking in which session data was stolen before the patch was deployed, and thereafter used by an attacker.
Authenticated session hijacking is a problem because it can lead to attackers gaining wider downstream access based on the permissions that identity or session had been given.
They can then steal additional credentials and start moving…
