Comcast’s residential cable unit, Xfinity, has been hit by a cybersecurity breach in which hackers exploiting a critical vulnerability dubbed Citrix Bleed accessed the confidential information of nearly 36 million customers.
The vulnerability is embedded in certain Citrix networking devices that are widely used across major corporations. Citrix responded with patches in early October, but the delay in implementation by many companies left them vulnerable.
“Citrix Bleed is dangerous because it allows malicious users to access sensitive data coupled with the fact that it affects commonly used Citrix devices in large organizations,” said Josh Amishav, the CEO of cybersecurity firm Breachsense. “This means that the vulnerability can be exploited en masse, leading to significant data breaches.”
Hackers used Citrix Bleed to get into Xfinity systems for a few days in mid-October, according to a notice put out by Comcast Monday. The company didn’t realize what happened until about a week later. In November, its investigation showed that hackers probably got some customer information. Then, in December, they discovered this included customer usernames and passwords. These passwords were scrambled for protection, but there’s still a chance they could be unscrambled.
The company also said that for some customers, the hackers might have gotten more personal details like names, contact info, birth dates, parts of Social Security numbers, and the answers to secret security questions.
NetScaler vulnerabilities
Citrix previously told NetScaler ADC and NetScaler Gateway customers to install updated networking product versions to prevent exploitation of vulnerabilities. The NetScaler ADC (Application Delivery Controller) and NetScaler Gateway, developed by Citrix, are tools designed to improve network applications and services’ performance, security, and availability. On October 10, Citrix revealed vulnerabilities in these products, identified as CVE-2023-4966 and CVE-2023-4967, described as “unauthenticated buffer-related” issues.
CVE-2023-4966, a high-severity vulnerability related to critical information disclosure, received a CVSS score of 9.4, indicating its serious nature. AssetNote, a cybersecurity firm known for detecting and handling security risks in web applications and digital assets, released a proof of concept (POC) exploit for this vulnerability, Citrix Bleed, on GitHub.
The vulnerability was particularly effective because it was previously exploited to deploy LockBit 3.0 ransomware, said Neil Jones, the director of Cybersecurity Evangelism at Egnyte.
“Combining the wide deployment footprint of NetScaler with the potential for ransomware attack represents a perfect storm from a cyber-infection standpoint,” he added.
Citrix has suggested that users update their devices to fix security problems. The company also pointed out that version 12.1 of these products is no longer supported. So, Citrix is recommending that customers switch to newer versions that don’t have these security issues.
Citrix is a popular tool for remote desktop sessions or application delivery. Some businesses have left their Citrix Metaframe servers exposed to the internet as a cheap fix for remote access, noted Andrew Barratt, vice president of the cybersecurity firm Coalfire.
“Over time, Citrix has upped its technology stack, and Netscaler is a defense product but crucially still sits right at the edge of the perimeter, meaning that where it’s deployed, it’s probably exposed directly to the internet,” he added. “However, unlike the Metaframe servers of old — this is exactly where it’s meant to be, making it a big target for intruders.
Protecting against Citrix Bleed
Vulnerabilities similar to Citrix Bleed occur reasonably often, but the real problem arises when patches are released and not applied promptly, leaving systems vulnerable for longer than necessary, Amishav said. To safeguard against such vulnerabilities, it’s essential for both individuals and businesses to update regularly and patch software and systems, he added. Monitoring networks for any unusual activities can help detect breaches early. Implementing robust and multifactor authentication methods adds an extra layer of security.
Educating employees on cybersecurity best practices is also vital, Amishav said. Using secure passwords, preferably generated and stored in a password safe, enhances security. Additionally, continuously checking the dark web for any leaked company data or credentials can provide early warnings of potential breaches.
“Xfinity’s users should continue to monitor the situation closely and consider changing their usernames and passwords as soon as possible,” Jones said. “With the higher likelihood of cyberattacks around the holiday season, it’s also a good idea for users to change their Xfinity Wi-Fi passwords, particularly if passwords haven’t been changed recently.”
Comcast did not detail the number of users affected by the breach, but a data breach notification to the Maine attorney general, first reported by TechCrunch, said that 35,879,455 customers were affected.