Over 200,000 Loan Customers Impacted By Ransomware Gang Using Citrix Bleed Vulnerability

Ransomware Gang Using Citrix Bleed Vulnerability

A cyber breach exploiting the Citrix Bleed vulnerability has compromised the loan information of hundreds of thousands of individuals. Planet Home Lending suspects that the ransomware group LockBit is behind the attack.

According to ClassAction.org, the mortgage company headquartered in Connecticut is currently dealing with a potential class action lawsuit following the cyberattack in November 2023. During the breach, hackers were able to obtain access to extremely sensitive customer data. The 41-page legal complaint claims that Planet Home Lending neglected to establish fundamental cybersecurity measures to safeguard the confidential information under its supervision. It is alleged that this data was stored without proper security measures, remaining unsecured and unencrypted within the company’s network.

200,000 Customers Impacted

Planet Home Lending only recently notified customers on Jan. 24 that their personal information was compromised due to a security breach linked to the LockBit ransomware group. This is the second major breach within a few months for the company. The initial incident occurred in the previous summer when the company revealed its exposure to the MoveIT vulnerability.

CyberNews.com reports, over 200,000 customers were allegedly impacted in the latest security breach. The threat actors managed to acquire personal information such as names, addresses, Social Security numbers, loan numbers, and financial account numbers.

Planet Home’s correspondence indicated that the primary reason behind the event was the Citrix Bleed vulnerability that impacted software in NetScaler ADC and Gateway appliances from Citrix Systems – a screenshot of the customer correspondence can be seen below:

Citrix Bleed vulnerability

Citrix Bleed Vulnerability Major Concern For Organizations

Threats exploiting the Citrix Bleed vulnerability, identified as CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances have been carried out by state-sponsored threat actors and cybercrime organizations. Over 300 entities have been notified about Citrix Bleed, which continues to affect numerous organizations states Cybersecurity Dive.

The letter to customers, stated the company “had implemented multiple layers of security tools designed to prevent this type of unauthorized access, the threat actor was able to exploit this Citrix Bleed vulnerability to bypass these protections.” Planet Home reported that the attack occurred on November 15th, with the company becoming aware of the breach on the same day. Following the discovery, an external forensics firm was engaged to investigate the breach’s cause and impact. By November 28th, Planet Home was able to confirm that the threat actor had accessed a read-only data folder containing copies of loan files with personally identifiable information of some customers. The company informed the FBI about the incident and stated they would not be paying any ransom amount to the threat actor, in line with the FBI and financial regulators’ recommendations.

Financial Institutions Are Prime Targets

Financial institutions are prime targets for cyberattacks due to the sensitive data they possess and the critical need for uninterrupted services. In the event of a major lender being compromised, its ability to conduct transactions and generate revenue is severely impacted, as seen in the case of Planet Home.

“Cyber attackers are naturally attracted to the finance industry due to the significant financial transactions and valuable personal data available for exploitation,” said Tim Royston-Webb, CEO, SentryBay. “Numerous financial firms are obligated to retain data for various legal, compliance, or regulatory purposes, leading to the accumulation of extensive customer information over time. This, in turn, makes them more susceptible to cyber threats. It is inevitable that cybercriminals will continue to target sectors with lucrative rewards, such as financial institutions.”

The Citrix Bleed vulnerability has proven to be a significant challenge to address, even for entities that have applied patches to their systems. Attackers exploit this vulnerability by using stolen credentials to circumvent multi-factor authentication, allowing them to move laterally within the network undetected, complicating the process of detection and eradication.

SentryBay Thwarts Attackers Exploiting Citrix Bleed Vulnerability

“SentryBay’s unique enforcement mechanism, part of the Armored Client, authenticates devices before a user attempts entry using the normal authentication methods – which thwarts attackers harnessing the Citrix Bleed vulnerability,” commented Jeremy Greenwood, Enterprise Global Sales Lead, SentryBay. “It also easily ensures that all personnel, even BYO and third-party contractors on unmanaged devices, can securely access corporate assets.”

“As we are now seeing, several ransomware groups including LockBit, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments within the financial sector,” confirms SentryBay’s CEO Tim Royston-Webb. “SentryBay’s patented enforcement mechanism mitigates against token hijacking, nullifying Citrix Netscaler Bleed vulnerabilities. This ensures that sensitive customer information like loan information remain secure, even in the face of sophisticated cyber threats like the one reported by Planet Home Lending. SentryBay is ready to deliver protection to any financial organizations that need to shield sensitive data accessed via NetScaler.”

SentryBay thwarts attackers harnessing the Citrix Bleed vulnerability

Latest Posts

Follow Us On