What it means â CitrixBleed ransomware group woes grow as over 60 credit unions hospitals financial services and more breached in US by Kevin Beaumont Dec 2023 DoublePulsar

pSign upppSign inppSign upppSign inppKevin BeaumontppFollowppDoublePulsarpppp2ppListenppShareppHow CitrixBleed vulnerablity in Netscale has become the cybersecurity challenge of 2023ppCredit union technology firm Trellance own Ongoing Operations LLC and provide a platform called Fedcomp â used by double digit number of other credit unions across the United States This Fedcomp platform was not patched for CitrixBleed as no Netscaler patches had been applied since May 2023ppA ransomware group gained entry to Trellance via Ongoing Operations You can read about some of the fallout here Ongoing Operationsâ two Netscaler devices remain offline This is disrupting operations in a way which impacts millions of AmericansppHTC Global Services aka HTC Inc aka Caretech â a large MSP for the US healthcare sector with remote access to hospitals across the US did not patch Netscaler since July 2023ppHTC Global Services are currently being held to extortion by AlphV ransomware group who display stolen documents on their ransomware portal which are branded Caretech a division of HTCppEarlier in the week the BBC reported that a âcyber incidentâ ransomware at CTS a legal tech firm cloud MSP in the UK is leaving UK home sales in limboppwwwbbccoukppCTS own Sprout IT as a core brandppSprout IT ran Netscaler and hadnât patched it until lateppABC report homebuying in the US has stalled due to a ransomware incident at Fidelity National Financial AlphV ransomware group also claimed themppFidelity National Financial also patched CitrixBleed late You may be spotting a pattern at the victimsppThe United States continues to be disproportionately impacted so I thought it would be interesting to look at what is making this situation so difficult to address Sadly CitrixBleed isnât an isolated situation â itâs just the perfect storm of the style of vulnerability combined with ransomware groupsppFirst letâs do a bit of background The security patch for this issue became available almost two months ago Back in October I wrote a Mastodon toot saying CitrixBleed would have more legs than people realiseppThe reason I wrote this toot is as follows in a world where there are thousands of new security vulnerabilities every few months not all vulnerabilities are equal This one was to me clearly going to be a major issue as it allowed the bypass of multifactor authentication controls it didnât log exploitation and it was easy to exploit I knew many organisations were not going to be equipped to know to patch the vulnerability or even know how to identify if they ran the Netscaler product due to the siloâd nature of cybersecurity departments within businesses Hence why I published information on how organisations could identify their own assetsppI then wrote a blog saying mass exploitation was happening a companion piece to say ransomware groups are using the vulnerability to backdoor systems for later and continued to track threat actor activityppI have also established for example that one of the ransomware groups and a state aligned group both obtained an exploit for the vulnerability on October 23rd and were using it in the wildppIn my earlier blog post I broke the news using publicly available information that the attack on ICBC the worldâs largest bank was via CitrixBleed This has since been confirmed by the US Treasury It also provided evidence of CitrixBleed being used against Allen Overy and many othersppThe blog also broke the news that exploitation leaves no logs for the initial exploit request since confirmed by Mandiant due to product deficiencies which still havenât been addressed by the vendor This lead to briefs from the Australian government the US government and others Healthcare services issued briefspptherecordmediappWhile all this was happening I was watching people gleely posting things on LinkedIn about AI generated malware and such The cybersecurity industry has amazing problems with understanding threat priority and really likes to chase after whatever is being sold nextppNow letâs bring ourselves up to date with what has changed in the three weeks since I last wrote about this First many of the victim organisations either never appeared on ransomware group portals or disappeared from ransomware group portals because the organisations made the choice to pay the criminals This is despite mass data theft Fidelity National Financial and Allen Overy have both disappeared from portals and refused to confirm what happenedppMy research which has allowed me to track who has been successfully targeted shows most victim organisations have opted to cover things up and their names are not known to the public Organisations instrumental to this cover up include leading cybersecurity incident response and insurance firmsppIâm concernedppAnybody who knows me knows I am a pragmatist Iâve spent 24 years nonstop working for medium to large size enterprises from oil companies telcos ICS manufacturing a security vendor etc in cybersecurity Iâve seenâ a lot I often get laughed at in professional settings for underselling situations â eg Iâll say âthatâs not idealâ when things have gone very wrongppI say this because I want people to understand the tone and weight behind what Iâm about to say Iâm really concerned about ransomware groups So much money is being quietly passed to these guys â often teenagers â that I think there is a very real probability they are going to cause a series of major global incidents that impact civil society and governments themselves Not by choice of these groups but by accident â theyâre obtaining the level of access that only nation states should have where consequences counterweights and experience normally exist Whatâs happening with ransomware isnât normal it has just become normalised Weâre allowing teenagers to obtain serious arms and infrastructure at an alarming paceppI do not think the situation is any longer sustainable Whilst it is absolutely true that ransomware and extortion groups are just a symptom of poor security â trust me Iâve seen it â the reality is poor security isnât fixable any time soon but the threat uncontrolled groups whoâve monetised said poor security poses is legitimately an international security risk that is going to keep escalating until something goes very wrong I fear It isnât just the criminals who have monetised poor security here â thereâs an industry which has sprung up monetising the victims and the fear of being a victim tooppWhat needs to changeppIâm career cybersecurity Iâm numb to pain I genuinely fear we have a problem where weâre pretending that virtual cyber things arenât real and thereâs nothing we can do about it Bitcoin payments mean exploit development and recruitment I think itâs going to get very real and while Iâm super optimistic there are more things we can do to pump the brakes we shouldnât do them too lateppYou can follow me on Mastodon for the latest cybersecurity news about emerging cyber threats if youâre really boredppcyberplacesocialppUpdate HTC are acknowledging Their statement âHTC has experienced a cybersecurity incident Our team has been actively investigating and addressing the situation to ensure the security and integrity of user data Weâve enlisted cybersecurity experts and are working to resolve it Your trust is our priorityâpppppp2ppDoublePulsarppEverything here is my personal work and opinionsppHelpppStatusppAboutppCareersppBlogppPrivacyppTermsppText to speechppTeamsp