Jan 2, 2024 - Technology

The security flaw haunting cyber defenders in 2024

Illustration of a computer mouse with an extremely long cord

Illustration: Sarah Grillo/Axios

Companies are starting 2024 grappling with the fallout from a security vulnerability they've known about for months.

Driving the news: Xfinity said last month that hackers had exploited a high-severity vulnerability in network hardware developed by Citrix, resulting in the theft of 36 million customers' sensitive information.

  • The discovery came roughly two months after Xfinity had patched the flaw in its system.

Why it matters: Researchers believe hackers have been exploiting the vulnerability, known as Citrix Bleed, since at least August, and Citrix didn't find the flaw and issue a patch until October.

  • Now, companies like Xfinity are investigating what sensitive information hackers made off with during those months.

Catch up quick: Ransomware gangs have reportedly used Citrix Bleed to target some of the biggest corporations in recent months, including Boeing, the Industrial and Commercial Bank of China, and more than 60 credit unions.

  • The Citrix Bleed vulnerability affects Citrix's NetScaler Gateway appliances and NetScaler web application delivery controls — popular enterprise tools that allow employees to remotely access a variety of workplace applications.
  • The flaw can give hackers rare access to employees' passwords and session tokens that allow them to bypass multifactor authentication tools.
  • U.S. cyber officials have warned that both nation-state and criminal groups are now targeting Citrix Bleed.

Yes, but: The number of vulnerable systems has significantly decreased in the last two months, suggesting companies are actually taking the steps needed to resolve the flaw.

  • As of Dec. 31, roughly 1,300 vulnerable instances of the Citrix product were still online — compared to around 4,600 on Oct. 31, per data from security organization Shadowserver.

What they're saying: "We're going to continue to see data exfiltration news where data was stolen," Chris Henderson, senior director of threat operations at security platform Huntress, told Axios.

  • "For people who are now patched, the risk of ransomware hasn't passed, but we would've heard of most of them already," he added.

The big picture: It often takes months for companies to figure out the true scope of a cyber intrusion.

  • Expect to see more organizations issuing notices in the coming months detailing just how much access Citrix Bleed had given intruders to their networks.

Between the lines: Patching Citrix Bleed is also a bit tricky since it requires companies to implement a separate set of mitigations to kick out any lingering intruders, Henderson said.

  • Some organizations were also slow to patch the vulnerability in their systems after Citrix announced it, he added, leaving those companies open to attacks from hacking groups that quickly figured out how to target them.

Zoom out: Citrix Bleed is just the latest in a long string of critical vulnerabilities that have plagued companies in the last year — following similar flaws in a popular file-transfer tool, a network monitoring tool and more.

  • Researchers and companies uncovered 96 zero-day vulnerabilities in 2023, according to data from Trend Micro's Zero Day Initiative.

Be smart: Citrix Bleed is a reminder that company security teams need to weigh the privacy costs of a data breach over compliance and disruptions to business operations.

  • When a critical security flaw is discovered, some companies might be tempted to wait a few days to patch it so they don't disrupt any critical business operations, Henderson said.
  • "It's probably cheaper for them to go pay for that identity protection on everybody than to take outages," Henderson said. "Really considering the knock-on effects of the individuals impacted beyond just the hit to revenue and profitability — it needs to start being a tighter consideration for these [events.]"
Go deeper