Security Roundup November 2023

November 2023: Attackers Exploit ‘Citrix Bleed’ in the Wild, the NCSC and CISA Develop Guidelines for Securing AI, Hacked British Library Data is Available on the Dark Web, Law Firms Impacted by Attack Against IT Provider CTS, and More! 

Citrix Bleed Exploited in the Wild

Last month’s security roundup reported a remote code execution (RCE) vulnerability affecting Citrix NetScaler ADC and Gateway products. The vulnerability, tracked as CVE-2023-4966, has since been named ‘Citrix Bleed’. This month, attackers have been exploiting the vulnerability in the wild. One of the victims was Boeing, which was attacked by the ransomware group Lockbit, which we also reported on last month. Other Citrix Bleed victims include the logistics firm DP World and the Industrial and Commercial Bank of China (ICBC).

Researchers estimate that over 10,000 appliances were vulnerable and open to the internet. The vulnerability impacts the following versions of NetScaler ADC and Gateway appliances, for which the vendor has released fixes: 

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

It is also advised to kill all persistent and active sessions via the following commands:

kill icaconnection –all 

kill rdp connection –all 

kill pcoipConnection –all 

kill aaa session –all 

clear lb persistentSessions 

See Mandiant’s remediation guide for more information. 

NCSC and CISA Develop Guidelines for Securing AI

The UK’s National Cyber Security Centre (NCSC) and the USA’s Cybersecurity and Infrastructure Security Agency (CISA), in partnership with 21 other global agencies, have collaborated to develop guidelines for ensuring the security of Artificial Intelligence (AI) systems. The guidelines aim to ensure that AI systems are designed, developed, and deployed securely.

The recently established guidelines led by the UK mark a groundbreaking global agreement. They are designed to assist developers working on AI systems make well-informed cyber security decisions at each development phase. The recommendations apply to systems built from the ground up and those constructed using existing tools and services. The emphasis is on integrating security into the development process and maintaining it throughout, emphasising a ‘security by design’ approach.

Hacked British Library Data Available on the Dark Web

After suffering a ransomware attack on the 31st of October, the British Library has now disclosed that user information, including staff HR data, was exfiltrated and leaked online. The Rhysida ransomware gang is believed to be behind the attack and reportedly requested 20 Bitcoin as a ransom, valued at around £590,000.  

The library announced on X: “Following last week’s confirmation that this was a ransomware attack, we now have evidence that indicates the attackers might have copied some user data, and additional data appears to have been published on the dark web.

We will continue to work with cybersecurity specialists to examine what this material is and we will be contacting our users to advise them of the practical steps they may need to take.”

The British Library is understood to have informed the Information Commissioner’s Office (ICO) and is working with the National Cyber Security Centre and law enforcement. 

Law Firms Impacted by Attack Against IT Provider CTS

IT provider CTS announced last week that its systems had been impacted by a ‘cyber-incident’. CTS is a UK-based managed services provider that primarily supports legal sector organisations. It is estimated around 80 conveyancing firms in the UK have been impacted by the incident, which is understood to be linked to the Citrix Bleed vulnerability mentioned previously in this article. 

As of the 30th of November, CTS advised it was in the third phase out of four of its restoration efforts. 

This Month’s Other Vulnerabilities

Microsoft Patch Tuesday

Microsoft’s Patch Tuesday updates addressed over 58 vulnerabilities this month, including five zero-day flaws. You can read more about Patch Tuesday on CrowdStrike’s blog article here. 

Adobe

Adobe announced 16 bulletins detailing patches for 76 CVEs across multiple products, including Acrobat, Reader and Cold Fusion, this month. 

That wraps up 2023’s penultimate Security Roundup!