Let’s Talk Citrix Bleed
12–4–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, December 4, 2023, and we’re back after taking a week off for the Thanksgiving holiday. To be clear - I didn’t actually take a week off of work - I just took a week off of making this video. Cybersecurity folks traditionally aren’t good at making and taking time off - yours truly included.
We’ve got another system vulnerability being exploited by ransomware groups - it’s got a catchy name and everything. Let’s dive in.
Time to Talk CitrixBLEED
A vulnerability in Citrix product NetScaler allows an unauthenticated requests to manipulate the application into returning values from its memory that includes session keys - which allows attackers to bypass MFA and other traditional security controls.
Therefore, if these devices are exposed to the Internet (which, generally, they have to be to in order to work to their full potential) they’re vulnerable, and attackers are exploiting them like crazy.
In the US, we’re seeing 60+ credit unions facing an outage because one of their vendors was hit. This comes after larger players have been hit more publicly by this event, including Fidelity National Financial, who seems to be only just now starting to recover several weeks later (and, potentially, after paying the ransom).
Meanwhile, in the UK, home buyers are also being impacted in a roundabout way, with a Managed Service Provider for law firms, CTS, being impacted. Initially, CTS posted an update on their blog - but have only posted one update since, noting that they are “now at Phase 4, which is the restoration of client environments. Phase 4 is a complex exercise and may take some time. We remain in contact with our clients and are keeping them informed as we progress through this final phase. If you are a member of the public, please directly contact the legal firm you have engaged.”
UK Legal firms supported by CTS aren’t the only ones being attacked, either - with Bloomberg reporting famed Magic Circle firm Allen & Overy falling prey to the same fate.
The issue has become one getting attention at the government level, as healthcare institutions are also being impacted. The Department of Health and Human Services here in the US published an alert via their Health Sector Cybersecurity Coordination Center encouraging providers to patch their systems and kill any existing sessions to force reauthentication.
This vulnerability, according to other reports, also appears to have been the one that took a chunk out of Boeing and took down the Industrial and Commercial Bank of China.
In short, folks, this is bad. Real bad.
So what can we do?
Security researcher Kevin Beaumont has a somewhat exasperated (understandably) post up with some suggestions that I think are worth echoing.
Step 1? Require vendors to secure the products they sell. Great idea, cause worth pursuing long-term, but hard to enforce.
Step 2? Outlaw ransomware payments internationally. Again, great idea, cause worth pursuing long-term, but hard to enforce both internationally and domestically. Lots of lawsuits ahead, and still likely enough revenue for ransomware gangs to keep doing their thing - they bear very little cost to add more victims, and if they become a volume play over a margin play, this is what they’ll do.
Step 3? Companies should consider whether they can sufficiently manage the security of the technology they’re purchasing and operating. Again, great idea, cause worth pursuing long-term, but hard to get traction in either the short-term or at scale.
Step 4? Change how we deal with ransomware. Deal with it publicly, share info, and coordinate across sectors and governments.
To me, this is the biggest change we can make. Too many companies are afraid or unwilling to disclose the nature of their incident - and for what reason? Your service is already disrupted. Your customer trust is already eroded. Pretending this is something other than ransomware doesn’t help - in my mind - at this point. Instead, recognizing that you were a victim of a crime and have information about the perpetrators to contribute seems like the thing any civically minded person or organization would do. And yet? Most don’t.
Kevin had a fantastic line in his piece that I’ll share here: “What’s happening with ransomware isn’t normal, it has just become normalised.”
We need to square up to this threat, collectively, or else we’re going to be picked off individually (or, as is the case many times, via our third parties - another cause worth pursuing long-term but with limited ability to make traction in the short-term or at scale).
My best advice? Know what you have, keep those patches up to date, and tell it like it is - especially when things are not condition normal.
Fundraising
From a fundraising perspective, November closed out as a very strong month - with more than $83B in newly committed capital, and December is off to a good start - with more than $10B announced last week, including several multi-billion dollar raises.
That said, we’re still looking for the IPO dam to break, and Chinese fast-fashion giant Shein trying to break through. Unfortunately, this type of company - growth at all costs, very short-term - is likely not a good example for the IPO market writ-large. The holiday slow down really is upon us, so I would suspect very little movement from here to the end of the year. We’ll likely have to wait and see how Q1 2024 plays out before we can draw any sort of larger conclusions.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://therecord.media/credit-unions-facing-outages-due-to-ransomware
https://www.reuters.com/markets/deals/chinese-fast-fashion-shein-files-us-ipo-wsj-2023-11-27/
https://news.yahoo.com/week-long-outage-fidelity-national-165524562.html
https://www.bbc.com/news/business-67543838
https://cts.co.uk/hub/news/update-on-recent-cyber-incident/