CVSS: 9.4
In October 2023 we reported on an observation of a threat actor exploiting CVE-2023-4966, a vulnerability in Citrix NetScaler since dubbed CitrixBleed. Further information on that report can be found here.
This vulnerability allows threat actors to hijack existing, authenticated sessions and bypass multi-factor authentication. As a result, they could fully control NetScaler environments, and therefore manage and control application delivery.
We’d previously stated an expectation that this vulnerability would continue to be exploited, banking on a slow patch rate, and this prediction appears to have been correct. In the last week, it has been reported that managed service provider (MSP) CTS has suffered a significant cyberattack as a result of CitrixBleed.
CTS provides IT services for the UK legal sector. As a result of the attack, it is estimated that up to 200 UK firms and offices have been significantly impacted, resulting in a loss of access to systems and databases crucial for them to function. The incident was first noted on Wednesday (22nd November 2023) and continued into the weekend. This has had a significant impact on property buyers, with Fridays being the busiest days for purchase completions.
There is limited information available regarding the overall scope of the attack against CTS, but it has been suggested that ransomware had been deployed, which we will continue to monitor for. It is unknown whether any sensitive or confidential information has been impacted, but the incident has been reported to the ICO.
The targeting of an MSP at this time is significant. The UK Government has decided to not include an update to the NIS Regulations within the most recent King’s Speech, meaning that these will likely not be considered until after the next general election in 2024. Updating these regulations would treat MSPs as critical infrastructure, and encourage them to focus on and improve their own cybersecurity and defences in order to prevent supply chain attacks. In the foreword to the UK Government’s “Proposal for legislation to improve the UK’s cyber resilience”, Julia Lopez MP, Minister of State for Media, Data, and Digital Infrastructure stated:
“an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services,”
This is not the first such attack against an MSP in the UK. In August 2022, IT supplier Advanced was targeted with ransomware, which had a serious impact on the NHS’s ability to deliver care. In January 2023 the UK National Cyber Security Centre (NCSC) issued a warning regarding the use of MSP’s, and that use of their services would increase an organisation’s attack surface. An MSP with access to multiple clients makes them a “juicy target” for threat actors wanting to cause as much disruption as possible.
Photo by Tingey Injury Law Firm on Unsplash.