The recent in-depth case study by CISA on the ransomware attack on Boeing by LockBit 3.0 in late 2023 brings to light a critical yet often overlooked aspect of cybersecurity: the vulnerability of security software itself. This case study serves as a stark reminder that security tools intended to safeguard infrastructure can paradoxically become weak points in attack surface management. As the old saying goes: "the lamp does not shine on its own base".
Boeing Hack Timeline: A Quick Overview
August 2023: Early exploitation signs detected.
October 10, 2023: Public disclosure of CVE-2023-4966 by Citrix.
October 27, 2023: LockBit threatens to release Boeing's sensitive data unless contacted by November 2.
November 10, 2023: LockBit publishes 21.6 GiB of Boeing's data.
Initial Attack Vector: CVE-2023-4966
CVE-2023-4966, identified in Citrix NetScaler ADC and NetScaler Gateway appliances, serves as a stark example of how attackers can cleverly bypass multi-factor authentication (MFA) to establish authenticated sessions. This vulnerability arises from a flaw in the HTTP GET request process, which results in system memory leaks and, consequentially, the exposure of valid session cookies. Once in possession of these cookies, attackers gain the capability to initiate an authenticated session within the NetScaler appliance. They achieve this without needing a username, password, or MFA tokens – essentially giving them 'game on' access to exploit the system.
The Broader Picture: This incident underscores the importance of including security software in the scope of attack surface management, particularly in zero-day or N-day situations. As detailed in our blog, "Security Software is Still Software", these applications, though vital, are prone to vulnerabilities and serious exploitation due to their complexity, direct external exposure, and typically high privilege levels.
In fact, CISA's 2022 Top Routinely Exploited Vulnerabilities report listed top 12 most exploited vulnerabilities. 4 of them are from security softwares. These are:
CVE-2018-13379. Fortinet SSL VPNs,
CVE-2022-22954, CVE-2022-22960. VMware Workspace ONE Access, Identity Manager, and other VMware product
CVE-2022-1388. F5 BIG-IP application security software
While CISA has yet to release the 2023 top Routinely Exploited Vulnerabilities, the trend continues. For instance, Juniper recently addressed multiple vulnerabilities in Juniper Secure Analytics, which could potentially allow cyber threat actors to take control of affected systems.
A Call to Action: The Boeing ransomware attack serves as a crucial lesson in cybersecurity: it's crucial to remember that the very tools we rely on for protection can also become gateways for attackers if not properly managed and secured. This underlines the importance of comprehensive attack surface management, including during zero-day or N-day exploitations.
C2SEC's Extended Security Posture Management (XSPM) platform is uniquely equipped to assist in these challenging scenarios. We have developed specialized hotThreat modules for conducting intrusive testing, particularly when the risk of exploiting certain CVEs becomes imminent. These modules are seamlessly integrated with our advanced asset discovery and management capabilities. This integration ensures that all exposed systems, with a special focus on security software, are under continuous and effective management during critical 0-day and N-day response periods. Our approach empowers security teams with the tools and insights needed for timely identification and mitigation of vulnerabilities, thereby bolstering the overall security posture in these high-stakes situations.