The U.S. government’s cybersecurity agency has issued a warning regarding a recently identified vulnerability in Citrix ShareFile software, indicating that hackers are actively exploiting it.
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) included a newly found vulnerability, CVE-2023-24489, in Citrix ShareFile, within its roster of Known Exploited Vulnerabilities (KEV). CISA emphasized the significant risks this flaw presents to federal entities and directed all federal civilian executive branch agencies, including CISA itself, to apply patches provided by the software vendor before September 6.
Citrix had initially disclosed this vulnerability in June. With a severity rating of 9.8 out of 10, the flaw is categorized as an improper access control issue. This could potentially enable an unauthorized attacker to remotely compromise the Citrix ShareFile storage zones controllers of customer-managed instances, without the need for passwords.
Although Citrix ShareFile is primarily recognized as a cloud-centric file-transfer solution, it also offers a “storage zones controller” utility, allowing organizations to save files either on-premise or on compatible cloud platforms like Amazon S3 and Windows Azure.
According to findings by Dylan Pindur from Assetnote, who was the first to uncover this vulnerability, there were as many as 6,000 publicly exposed instances as of July. Pindur pinpointed the root cause to slight oversights in ShareFile’s implementation of AES encryption. Given the high adoption of this software for storing sensitive data, this vulnerability has the potential for significant impact.
Threat intelligence startup GreyNoise noted a marked escalation in attacker activities subsequent to CISA’s alert about the ShareFile vulnerability. Nevertheless, the identities of the hackers responsible for these real-world attacks remain unidentified.
Hackers have increasingly targeted corporate file-transfer software due to the substantial volumes of highly confidential data these systems manage. Notably, the Clop ransomware group, associated with Russia, has claimed responsibility for infiltrating several corporate tools. This list includes Accellion’s MTA, Fortra’s GoAnywhere MFT, and more recently, Progress’ MOVEit Transfer.
Emsisoft, a cybersecurity firm, recently reported that ongoing attacks involving MOVEit have resulted in 668 victim organizations and have impacted over 46 million individuals. Additionally, it was disclosed this week that the MOVEit hackers breached IBM, leading to the theft of sensitive medical and health information from over four million Americans.