Threat actors are actively targeting a new bug in Citrix’s ShareFile MFT service that allows them to remotely take over vulnerable servers and possibly create supply chain attacks.
Since it’s dangerous, Citrix released a patch to secure the devices, and now CISA urges federal agencies to apply it immediately. The agency has given time until August 6th for the national units to ensure themselves, considering actively monitoring vulnerable ShareFile servers in the wild.
Active Scanning For Exploitation
Citrix ShareFile is one of the popular managed file transfer software used by organisations to share files through connected cloud storage services like AWS or Azure, between themselves and with customers. Since it’s a centrally connected network, any issues in the pipeline will create a supply chain attack similar to recent MOVEit attacks.
Well, such could happen soon if the ShareFile customers don’t patch a critical bug in its Storage zones controller that allows an unauthenticated attacker to take over the ShareFile servers remotely.
Initially discovered by AssetNote, the cybersecurity firm noted a few errors in ShareFile’s implementation of AES encryption, letting anyone upload a web shell to the vulnerable device and gaining full access to the storage and all its files.
The bug tracked as CVE-2023-24489 has since been patched after being informed to Citrix. Thus, CISA asks its federal agencies to fix any ShareFile servers they’re using before September 6th, 2023, while adding the same to its Known Exploited Vulnerabilities list.
GreyNoise, another cybersecurity firm, noted a significant uptick in exploitation attempts against vulnerable ShareFile servers after AssetNote released its technical writeup and CISA’s warning. Thus, it’s strongly advised to apply the patch update immediately.
If not, this bug in Citrix ShareFile can become another supply chain attack, similar to what we’ve seen with Accellion in 2021, SolarWinds, GoAnywhere in 2022 and MOVEit Transfer attacks this year.
Correction/Latest Update:
In an email to us, SVP of Product & Technology of ShareFile, David Le Strat, said the patch for CVE-2023-24489 was released a month before the security bulletin, giving customers enough time to patch and reducing the exploitation chances.
And this worked as intended, as over 83% of ShareFile customers have patched the bug by June 13th, says Strat. Also, the un-patched ShareFile Storage Zone Controllers(SZC) were blocked from connecting to the ShareFile cloud control plane, making them unusable, thus indirectly thwarting attacks.
Claiming that this incident affected less than 3% of their total customer base, Strait reiterates that no data theft based on this bug’s exploitation has been recorded till now.
Other Trending News:- News
