CISA says hackers are exploiting a new file transfer bug in Citrix ShareFile

Hackers are exploiting a newly discovered vulnerability in yet another enterprise file transfer software, the U.S. government’s cybersecurity agency has warned.

CISA on Wednesday added a vulnerability in Citrix ShareFile, tracked as CVE-2023-24489, to its Known Exploited Vulnerabilities (KEV) catalog. The agency warned that the flaw poses “significant risks to the federal enterprise,” and mandated that federal civilian executive branch agencies — CISA included — apply vendor patches by September 6.

Citrix first released a warning about the vulnerability back in June. The flaw, which was given a vulnerability severity rating of 9.8 out of 10, is described as an improper access control bug that could allow an unauthenticated attacker to remotely compromise customer-managed Citrix ShareFile storage zones controllers, no passwords needed.

While Citrix ShareFile is predominantly a cloud-based file-transfer tool, it also provides a “storage zones controller” tool that enables organizations to store files on-premise or with supported cloud platforms, such as Amazon S3 and Windows Azure.

According to Dylan Pindur of Assetnote, who first discovered the vulnerability and warned that it stems from small errors in ShareFile’s implementation of AES encryption, as many as 6,000 organizations had publicly exposed instances as of July.

“A search online shows roughly 1,000-6,000 instances are internet accessible,” said Pindur. “This popularity, combined with the software being used to store sensitive data, meant if we found anything it could have quite an impact.”

Threat intelligence startup GreyNoise said it observed a “significant spike” in attacker activity after CISA published its warning about the ShareFile vulnerability.

The identity of the hackers behind the observed in-the-wild attacks is not yet known.

Corporate file-transfer software has become a popular target for hackers as these systems often store huge batches of highly sensitive data.

The Russia-linked Clop ransomware gang alone has claimed responsibility for targeting at least three corporate tools, including Accellion‘s MTA, Fortra’s GoAnywhere MFT, and — most recently — Progress’ MOVEit Transfer.

According to the latest data from cybersecurity company Emsisoft, the ongoing MOVEit mass-attacks have so far claimed 668 victim organizations, affecting more than 46 million individuals. Just this week, it was revealed that more than four million Americans had their sensitive medical and health information stolen after IBM fell victim to the MOVEit hackers.

Source link