Comcast recently disclosed a data breach affecting almost 36 million customers. This attack happened due to a missing patch in critical infrastructure that attackers exploited. The hackers were able to exfiltrate massive amounts of data stored by Comcast. Personal data included usernames and password hashes, names, contact information, and personally identifying customer information.
Attack Path Leading To Data Theft
Xfinity, a subsidiary of Comcast, found evidence of a breach in mid-October, prompting an investigation in collaboration with the authorities. The investigation results indicated that initial access was likely gained through an exploit in a Citrix NetScaler portal, commonly referred to as Citrix Bleed. This vulnerability is caused by a buffer overflow that allows attackers to exfiltrate sensitive data. This sensitive data can include session data, potentially allowing attackers to hijack a user’s session and gain further access.
The breach was identified on Oct. 25, but it is believed that initial access occurred between Oct. 16 and Oct. 19. During this time, attackers could move through the network without detection and begin identifying user data. On Nov. 16, it was determined that attackers had been able to access sensitive customer data. Comcast advises all affected users to reset their passwords and do the same for any services that share a password with their Xfinity account.
Lessons From The Attack
Citrix Bleed (CVE-2023-4966) is an extremely dangerous vulnerability in Citrix systems. It affects Citrix NetScaler ADC and Gateway. A buffer overflow vulnerability allows attackers to leak out extremely sensitive data and potentially perform session hijacking attacks. If an attacker can hijack the session of a high-privilege user, like an administrator, they will be able to do whatever they want to the internal environment. Even compromising a low-privilege user can lead to the exploitation of internal vulnerabilities and the elevation of privilege.
The patch for Citrix bleed was released on Oct. 10, around one week before the suspected initial access to Comcast’s systems. This may not seem like a long time, but attackers only need small windows to exploit such dangerous vulnerabilities. It can be difficult to manage many different software components and keep them all up to date, but the process must be a top focus when such severe exploits are identified.
Many tools are available that constantly monitor the internet, searching for certain components. The most common example of this is shodan.io. A search on Shodan for “Citrix” reveals over 40,000 results. Attackers using Shodan or similar tools can monitor the internet for vulnerable servers and attack them in narrow windows of time. This often boils down to becoming a race between the hackers and defenders to see how fast defenders can defend against the latest exploits.
It can be extremely difficult to stop attackers once they have initial access. Internal environments often have far fewer security measures than external ones and can be filled with vulnerabilities. These vulnerabilities can be used to move effortlessly through the network and start looking for sensitive information. Sensitive locations, such as critical databases, must be extremely hardened against attack and carefully monitored for anomalous activity.
Aside from automated monitoring of a network, manual review can also help turn out blind spots. Comcast states that they identified the breach during a routine review. If regular manual reviews were not performed, the breach may not have been revealed for far longer. Defenders should carefully monitor their environments and work to create detections based on likely attack paths. These paths can be identified by collaboration with red teams.
Security is not a one-step process, and a similar attack could have occurred if any of these problems had been remediated. It is important to apply defenses in different areas with different layers to stop attackers. Performing regular reviews of external and internal infrastructure through penetration testing and red teams helps harden networks against attack. Just as important is ensuring defensive teams understand what attackers are using and implementing preemptive fixes to stop them before attacks happen.
Meet Your Security Needs With Blue Goat Cyber
We can help you prevent cybercrime. Our team can perform various tests and exercises to gauge your organization’s security properly and work with you to fix weak points. Blue Goat’s testers have years of experience and are trained with the latest techniques and tools to give you a clear understanding of your security posture. Contact us to learn more.
