A critical flaw in software from Citrix Systems Inc., a company that pioneered remote access so people can work anywhere, has been exploited by government-backed hackers and criminal groups, according to a U.S. cyber official.

The flaw, dubbed Citrix Bleed, was abused by hackers in secret for weeks before it was found and a fix was issued last month, according to Citrix online posts and cybersecurity researchers. Since then, researchers say hackers have accelerated their exploitation of the bug, targeting some of the thousands of customers that haven’t applied a patch.

“We are aware that a wide variety of malicious actors, including both nation state and criminal groups, are focused on leveraging the Citrix Bleed vulnerability,” Eric Goldstein, executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency, known as CISA, told Bloomberg News.

CISA is providing assistance to victims, said Goldstein, who declined to identify them. Adversaries could exploit the vulnerability to steal sensitive information and attempt to gain broader network access, he said.

Citrix didn’t respond to messages seeking comment.

Among the criminal groups exploiting the Citrix Bleed bug is one of the world’s most notorious hacking gangs, LockBit, according to a global banking security consortium, the FS-ISAC, which on Tuesday issued a security bulletin about the risk to financial institutions.

The US Treasury has also said it’s investigating whether Citrix vulnerabilities are responsible for the recent debilitating ransom hack against the Industrial & Commercial Bank of China Ltd., according to a person familiar with the matter. The breach rendered the world’s largest bank unable to clear swaths of US Treasury trades. ICBC didn’t respond to a request for comment.

LockBit claimed credit for the ICBC hack, and a representative for the gang said the bank paid a ransom, though Bloomberg wasn’t able to independently confirm the claim. The Wall Street Journal previously reported the U.S. Treasury note.

Citrix announced it had discovered the Citrix Bleed bug on Oct. 10 and issued a patch. The company said that at the time, there was no sign anyone had exploited the vulnerability.

Since then, however, multiple Citrix customers have discovered that they were breached before the patch was issued, according to a Citrix post and cybersecurity researchers. One early victim was a European government, according to a person familiar with the matter, who declined to name the country.

...continued

©2023 Bloomberg L.P. Visit bloomberg.com. Distributed by Tribune Content Agency, LLC.