CISA Announces Citrix ShareFile Transfer Bug

The U.S. government’s cybersecurity agency, CISA, recently highlighted a vulnerability being exploited in Citrix ShareFile, a widely used enterprise file transfer software. This bug allows malicious entities to attack from multiple vectors and steal sensitive data through an easily preventable exploit.

CISA Citrix Sharefile vulnerability

This bug — designated CVE-2023-24489 — has been deemed as posing “serious threats to federal systems.” In response, CISA has set a deadline of September 6, 2023 for all federal civilian executive branch agencies, including itself, to apply the necessary patches provided by the software vendor.

This warning from Citrix about the vulnerability isn’t new; they had previously brought attention to the flaw in June. The bug, receiving an uncommon yet critical vulnerability severity score of 9.8 on a scale of 10, is defined as an access control oversight. This oversight potentially empowers unauthorized attackers with the ability to compromise the Citrix ShareFile storage zones controllers remotely, without requiring any passwords.

While Citrix ShareFile is primarily recognized as a cloud-based tool for file transfers, it also comes equipped with a “storage zones controller.” This tool offers organizations the capability to store files either in-house or on compatible cloud platforms like Amazon S3 and Windows Azure.

Dylan Pindur from Assetnote, the individual credited with identifying this vulnerability, pointed out its origin from slight mistakes in ShareFile’s adoption of AES encryption. Pindur’s analysis revealed that nearly 6,000 organizations had accidentally exposed themselves publicly by July. Since the software is popular and used to store sensitive data, any vulnerabilities lead to a problematic risk case.

After CISA’s vulnerability announcement, threat intelligence firm GreyNoise witnessed a noticeable uptick in suspicious activities targeting the vulnerability. As of now, the identities of the culprits exploiting this vulnerability remain unknown.

In recent times, corporate file-transfer systems have been in the crosshairs of cybercriminals, given the significant amounts of sensitive data they often contain. The announcement, while done in good faith to assist organizations using the Citrix ShareFile services, potentially alerted malicious entities of a core weakness. This may be the cause behind the recent increase in suspicious activities.

In particular, the Clop ransomware group, believed to be based in Russia, has taken credit for attacking multiple corporate tools. These include Accellion‘s MTA, Fortra’s GoAnywhere MFT, and more recently, the MOVEit Transfer by Progress.

Recent figures shared by cybersecurity firm Emsisoft paint a concerning picture. The attacks targeting MOVEit have currently impacted 668 organizations, with over 46 million individuals affected. Furthermore, earlier this week, a security breach involving MOVEit led to the theft of medical and health data of more than four million Americans, following a cyber-attack on IBM.

Any organizations using Citrix ShareFile should have updated and applied all relevant vendor patches by September 6. Those that haven’t patched risk losing sensitive data to malicious attacks. This isn’t the first or the last vulnerability that businesses will encounter in cloud environments, but staying on top of patches and proactively monitoring for vulnerabilities will help prevent any unwanted visitors from stealing protected data.