Comcast Ties Breach Affecting 36M Customers to Citrix BleedAttackers Apparently Stole Authenticated Sessions to Hit Telecommunications Giant
Just weeks shy of the year's end, America's largest telecommunications and media conglomerate has announced that it suffered one of the biggest known data breaches of 2023 due to a flaw dubbed Citrix Bleed.
See Also: 2023 Data Breach Investigations Report
Philadelphia-based Comcast Cable Communications, in a data breach notification filed with the attorney general in Maine, reported that attackers had breached its systems in October and stolen personal details pertaining to 35,879,455 customers of its Xfinity-branded TV, internet and home telephone services.
The number of breach victims is similar to the count of 32.3 million residential and business broadband customers that Comcast reported in a regulatory filing, meaning nearly all Xfinity customers appear to have been affected.
Comcast said in a press release that it had confirmed the breach on Nov. 16, identified the customers apparently affected by it on Dec. 6 and begun to notify them Monday via email - as well as Xfinity website and media notices - that attackers stole their usernames and hashed passwords. For some customers, stolen information also included their full name, contact details, birthdate, secret questions and answers, and the last four digits of their Social Security number. "Our data analysis is continuing, and we will provide additional notices as appropriate," Comcast said.
The company's investigation traced the breach to attackers exploiting a vulnerability in its Citrix hardware, tracked as CVE-2023-4966, aka Citrix Bleed.
"During a routine cybersecurity exercise on Oct. 25, Xfinity discovered suspicious activity and subsequently determined that between Oct. 16 and Oct. 19, there was unauthorized access to its internal systems that was concluded to be a result of this vulnerability," Comcast said.
On Oct. 10, Cloud Software Group, which counts NetScaler and Citrix as business units, issued a security alert and patch to address CVE-2023-4966 - as well as another vulnerability tracked as CVE-2023-4967 - present in all self-managed NetScaler Application Delivery Controller and Gateway devices, formerly known as Citrix ADC and Citrix Gateway. "Xfinity promptly patched and mitigated the Citrix vulnerability within its systems," Comcast said.
The problem for Comcast and many other organizations is that unbeknownst to them, simply patching the vulnerability didn't fully mitigate all risks posed by the flaw.
Google Cloud's Mandiant incident response group on Oct. 17 first warned that it had retroactively discovered hackers had begun to target the then-zero-day vulnerability in late August "to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements," and that installing the patch didn't invalidate those previous sessions.
"We have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor," Mandiant warned. "The most critical thing is that organizations need to do more than just apply the patch - they should also terminate all active sessions," said Charles Carmakal, Mandiant Consulting CTO.
On Oct. 23, Cloud Software Group issued updated mitigation guidance, including a warning to all users to invalidate previous sessions when installing the patch, as well as to review logs for signs of compromise.
Shortly thereafter, security researchers warned they were seeing mass exploits of the Citrix Bleed flaw by attackers, including the use of stolen sessions by ransomware-wielding attackers and nation-state hacking teams, among others.
In late November, the U.S. Cybersecurity and Infrastructure Security Agency, FBI and Australian Cyber Security Center released a multi-agency advisory detailing indicators of compromise shared by aerospace giant Boeing. Members of the ransomware group LockBit in late October claimed to have breached Boeing's parts and distribution business. Investigators traced that attack to an exploit of Citrix Bleed.
Such attacks continue. Threat intelligence service GreyNoise, which uses honeypots to monitor for malicious activity, on Wednesday reported tracking nearly 420 IP addresses being used to launch attacks that attempt to exploit CVE-2023-4966.