Boeing shares ransomware incident TTPs as Citrix Bleed attacks ramp up

Hey criminals! Fire an HTTP GET request. Grab system memory including session cookies issued post-authentication. Don't worry about logs. Pillage and loot. Thanks, Citrix.

Boeing shares ransomware incident TTPs as Citrix Bleed attacks ramp up

Aerospace multinational Boeing has shared details of a recent ransomware attack with cybersecurity agency CISA – agreeing to their public distribution in a landmark move for a company of this scale.

The advisory, published November 22, shares tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) provided by the FBI, Australian SIGINT agency ACSC, and “voluntarily shared by Boeing.”

The decision was welcomed by CISA Director Jen Easterly as a “terrific example of operational collaboration in action.” She said that Boeing had provided “key detail” for a new advisory on Lockbit 3.0 attacks that used the Citrix Bleed (CVE-2023-4966) vulnerability as an initial access point.

Security researcher Kevin Beaumont said the move “should be a seminal moment in the fight against ransomware. Don’t cover it up; talk about it and fight back together, stronger. Culture reboot, burn old incentives.”

Citrix Bleed attacks mount amid easy pickings

The report casts fresh light on Citrix Bleed, a horror of a software vulnerability that allows attackers to bypass password requirements and MFA, leading to “successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances” as CISA puts it – adding that “through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.”

(By crafting an HTTP GET request with an HTTP Host header greater than a certain length, a vulnerable appliance will return contents of system memory, as Mandiant earlier explained. This simple exploit, for which POCs are available, returns a session cookie, issued post-authentication, and post multi-factor authentication checks if they are set up: “An attacker with access to a valid cookie can establish an authenticated session to the NetScaler appliance without knowledge of the username, password, or access to a multi-factor authentication token or device.” It gets worse: The webserver running on the vulnerable appliance does not record requests or errors to the vulnerable endpoint. i.e. logs are little help here.)

Citrix Bleed is the second widely exploited unauthenticated remote code execution (pre-auth RCE) Citrix vulnerability in the second half of this year, with CVE-2023-3519 also having been used to target critical infrastructure in the US and having triggered “13 separate nationally significant incidents” in 2023 that required the intervention of the UK’s National Cyber Security Centre, according to that agency’s annual report.

For those not already deeply impressed with Citrix’ product security at this point, a reminder that its Citrix ShareFile software has also been exploited in the wild the year, via pre-auth RCE vulnerability CVE-2023-24489.

Updated November 27: ShareFile got in touch...

What did ShareFile tell The Stack?

ShareFile emphasised, fairly, to The Stack that a) It and Citrix are two separate business units under Cloud Software Group; b) A fix for CVE-2023-24489 was released on May 11, 2023 with Version 5.11.24 (one month before the security bulletin was issued); c) "Customer patching was proactively handled and, by June 13, over 83% of these customers had patched their environments, before the incident was made public." (Good work y'all)

Also, d) That "by June 13, all unpatched SZC hosts were blocked from connecting to the ShareFile cloud control plane, making unpatched SZC hosts unusable with ShareFile"; e) When this vulnerability was discovered, we worked with and notified impacted customers in advance of the announced CVE to update to the latest version of our software to assure the safety of their data. Our control plane is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched; and finally that "the incident affected less than 3% of our install base (2800 customers) and there is no known data theft from this incident."

Really well handled SharePoint team 💪

Other organisations reportedly hit with ransomware through exploitation of CVE-2023-4966 including the US branch of the world’s largest bank ICBC; Allen & Overy, one of the biggest law firms globally: Fidelity National Services, a Fortune 500 real estate services company, and more.

CISA has now provided YARA rules to help organisations hunt for malicious activity, as ransomware groups ramp up their use of Citrix Bleed to launch crippling attacks, warning “if compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious code.”