Teens with “digital bazookas” are winning the ransomware war, researcher laments

What do Boeing, an Australian shipping company, the world’s largest bank, and one of the world’s biggest law firms have in common? All four have suffered cybersecurity breaches, most likely at the hands of teenage hackers, after failing to patch a critical vulnerability that security experts have warned of for more than a month, according to a post published Monday.

 

Besides the US jetliner manufacturer, the victims include DP World, the Australian branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and Allen & Overy, a multinational law firm, according to Kevin Beaumont, an independent security researcher with one of the most comprehensive views of the cybersecurity landscape. All four companies have confirmed succumbing to security incidents in recent days, and China’s ICBC has reportedly paid an undisclosed ransom in exchange for encryption keys to data that has been unavailable ever since.

 

Citing data allowing the tracking of ransomware operators and people familiar with the breaches, Beaumont said the four companies are among 10 victims he’s aware of currently being extorted by LockBit, among the world’s most prolific and damaging ransomware crime syndicates. All four of the companies, Beaumont said, were users of a networking product known as Citrix Netscaler and hadn’t patched against a critical vulnerability despite a patch being available since October 10.

 

Dubbed CitrixBleed and carrying a severity rating of 9.4 out of a possible 10, the easy-to-exploit vulnerability exposes session tokens that allow the bypassing of all multifactor authentication controls inside a vulnerable network. Attackers are left with the equivalent of a point-and-click desktop PC within the impacted victim’s internal network, where they’re then free to roam.

 

Beaumont wrote:

 

Ransomware groups are often staffed by almost all teenagers and haven’t been taken seriously for far too long as a threat. They are a threat to civil society as long as organizations keep paying.

 

Focusing on cybersecurity fundamentals for enterprise scale organizations is a challenge, as often people are chasing after the perceived next big thing—metaverse (remember that?), NFTs, generative AI—without being able to do the fundamentals well. Large scale enterprises need to be able to patch vulnerabilities like CitrixBleed quickly.

 

The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas. They probably have a better asset inventory of your network than you, and they don’t have to wait 4 weeks for 38 people to approve a change request for patching 1 thing.

 

Know your network boundary and risky products as well as LockBit do. You need to be able to identify and patch something like CitrixBleed within 24 hours—if you cannot, there is a very real possibility it isn’t the ideal product fit for your organization due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose.

 

Vendors like Citrix need to have clear statements of intent for securing their products, as piling on patch after patch after patch is not sustainable for many organizations—or customers should opt with their wallets for more proven solutions. The reality is many vendors are shipping appliance products with cybersecurity standards worse than when I started my career in the late '90s—while also advertising themselves as the experts. Marketing is a hell of a drug.

Beaumont cited query results returned by the Shodan search service that indicated all four of the organizations had not patched CitrixBleed at the time they were hacked. The vulnerability is tracked as CVE-2023-4966.

 

The researcher also took Citrix to task for logging capabilities in Netscaler that he said made it next to impossible for users to know if they had been hacked. As a result, some people who patched CitrixBleed may not have known LockBit was already inside their networks.

 

Boeing declined to comment for this post. In a statement provided to journalists, the company said:

 

Elements of Boeing’s parts and distribution business recently experienced a cybersecurity incident. We are aware that, in connection with this incident, a criminal ransomware actor has released information it alleges to have taken from our systems. We continue to investigate the incident and will remain in contact with law enforcement, regulatory authorities, and potentially impacted parties, as appropriate. We remain confident this incident poses no threat to aircraft or flight safety.

Emails sent to Citrix and Allen & Overy didn’t receive a response by the time this post went live on Ars. Attempts to reach DP World and ICBC for comment weren’t immediately successful.

 

After the CitrixBleed exploit grants initial remote access through software known as Virtual Desktop Infrastructure, LockBit escalates its access to other parts of the compromised network using tools such as Atera, which provides interactive PowerShell interfaces that don’t trigger antivirus or endpoint detection alerts. This access remains even after CitrixBleed is patched unless administrators take special actions.

 

LockBit was first seen in September 2019 and quickly managed to hack thousands of organizations around the world, largely through an automated infection process. At the time, I noted, somewhat naively, that the wake of its destructive hacks would serve as a cautionary tale, but organizations didn’t seem to pay attention. Instead, by 2022, LockBit was declared “the most deployed ransomware variant across the world” and continued to be prolific in 2023.

As Beaumont noted on Monday, many of its victims are so hamstrung that they opt to pay the demanded ransoms to get their networks back to working order as quickly as possible. The payments set a vicious cycle that shows no signs of slowing.

 

“By LockBit earning hundreds of millions of dollars, they are able to purchase new exploits, tools, resources, and people to carry out attacks,” he wrote.

 

He continued:

 

How are schools, libraries and small business—the lifeblood of the global economy—with usually small IT budgets and nobody responsible for cybersecurity—supposed to compete with teenagers who have bigger attack budgets than their entire IT budget for a year (or in many cases, a decade)?

 

Governments need to aggressively pursue ransomware and stop payments. It is not a solved problem. Vendors need to make better secured products, or be forced into action by governments. We need to break this cycle, where civil society is suffering. Let’s get to work.

To be continued.