UK MSP affected by “Citrix Bleed” Vulnerability

Last month United Kingdom based Managed Service Provider CTS announced it was investigating a cyber incident affecting hundreds of its clients. The outage is believed to have been caused by the “CitrixBleed” vulnerability. Citrix released security updates to address the vulnerability on October 10. CISA added the vulnerability to its Known Exploits Catalog (KEV) on October 18, now known as CVE-2023-4966. The vulnerability allowed threat actors to hijack authenticated sessions bypassing MFA. Once in, the hacker can harvest other credentials, escalate privileges, move laterally, and exfiltrate data. Security vendor Mandiant has published guidance on handling the patching and subsequent actions required to eradicate the bug and any malicious activity. This included the termination of any persistent sessions after patching as simply patching does not kill those sessions.

CitrixBleed has also led to the disruption of 60 Credit Unions as a result of a breach at cloud services provider ironically named Ongoing Operations. This month the American Hospital Association and the Health Sector Cybersecurity Coordination Center have also issued alerts to the healthcare industry to update their systems against the vulnerability.

This incident underscores the urgency in which all organizations, especially MSPs, must place on system updates and mitigation procedures. Threat actors are exploiting vulnerabilities as soon as they become known. Any delays in the application of system updates and the proper eradication procedures puts your clients at risk.

Solarwinds Fires Back at SEC over Lawsuit

Last month we reported that the SEC has filed suit against the, not only the SolarWinds corporation, but the former CISO of SolarWinds individually. In the lawsuit the SEC claims that SolarWinds misled investors regarding the security measures they had put in place. You can read the entire filing here.

In November, SolarWinds responded to the lawsuit with a strong rebuttal. SolarWinds claims the SEC’s case is fundamentally flawed, both legally and factually. They accuse the SEC of twisting facts, taking snippets of documents and conversations out of context, and misrepresenting their claims regarding adherence to NIST standards. SolarWinds denies hiding information about its cybersecurity risks, stating that despite the company’s security controls, it was still subject to risk of a breach. The statement suggests that the information the SEC is demanding companies disclose regarding vulnerabilities simply provides a roadmap for hackers. In fact, previous guidance from the SEC advised companies NOT provide such details.

This case will undoubtedly impact the ways companies and even individual officers handle the disclosure of cybersecurity information in the future. Will it discourage CISOs from evaluating and discussing risks internally? Does punishing the victim place emphasis on the right issue? As the case unfolds we will find out more about the direction of the government’s stance and role in forcing compliance.

Okta Reveals Data of All Customers Exposed

Identity management firm Okta announced it suffered a breach that exposed the pieces of data from all of its customers. This, despite the fact that it had previously claimed the breach only affected a small fraction of their client base.

In its initial report, Okta said the breach, which affected its support management system, allowed hackers to abscond with customer uploaded HAR files which may contain customer cookies and session tokens. At the time it was believed the hack only affected a small subset of their customers. However, they said it later discovered that a report had been downloaded that revealed the full names and email addresses of all of their customers. In some cases additional information such as phone numbers, usernames, and roles was exfiltrated. The firm says there is no evidence the data is being actively exploited but the chance exists. Okta is now urging all customers to enable multi-factor authentication or physical security keys.

As with other recent high profile hacks, this was the result of a social engineering exercise to gain access to the their customer support system. It is interesting to note that both of the recent attacks on MGM Resorts and Caesar’s Entertainment involved exploits of the Okta agent used by the resorts. Since the threat actor behind the Okta attack has not yet been identified, the three attacks cannot be seen as connected.

It is not surprising that identity management companies such as LastPass and Okta are being targeted. However, these events underscore the fact that any company is vulnerable.

Featured Recorded Event

OTX Partners and MSP Sales Revolution Presents

Cybersecurity Sales for MSPs