CitrixBleed: A Societal Cyber Pandemic

In recent years, the digital world has witnessed numerous large-scale cyber-attacks. However, the impact of CitrixBleed is a timely reminder that we are far from having experienced the worst of what’s to come. This is not just about people clicking on malicious links anymore – this is a societal cyber pandemic that is causing significant disruption on a global scale.

CitrixBleed – the vulnerability in Citrix NetScaler perimeter devices that enables threat actors to hijack post-authentication and post multi-factor authentication (MFA) established sessions – has had far-reaching consequences that have permeated across sectors and industries. Hospitals have had to be shut down and redirect ambulances due to compromised systems, causing a severe strain on the healthcare system. The bond market was affected when the US arm of the Industrial and Commercial Bank of China (ICBC) was compromised, disrupting financial stability. Law firms were forced to halt transactions following the attack on IT service provider CTS; a similar attack occurred in Australia. In the United States, water treatment plants were disrupted, causing a public health scare. Finally, Fidelity Financial lost records on people’s financial positions, causing chaos for countless individuals. All of these attacks trace their root cause to the same Citrix exposure.

These attacks are not merely inconveniences. They have the potential to cripple societies, and we need to pay attention.

Another critical aspect of this cyber pandemic is the issue of supply chain management and relationships with third parties. With attacks like CitrixBleed and MOVEit, it is no longer just about what happens if you get compromised. What happens if your data is leaked by your suppliers, and they choose to do something different without consulting you? What if they pay the ransom? What if they are happy for your data to be published? What can you, and should you, be able to control?

And now, with the US Securities and Exchange Commission (SEC) giving attackers even more tools, as seen in a recent example where a threat actor denounced one of their victims to the SEC, the situation has become even more precarious.

This has moved beyond a “risk” conversation. It is now an existential and societal problem. Society cannot function if there is no trust in the availability of basic services like healthcare, the financial system, or the economy.

This societal cyber pandemic won’t be solved by point solutions like phishing training. We need to stop over-indexing for “how many people clicked my last test” perverse metrics. There is zero evidence that phishing training has resulted in fewer incidents. While I’m not advocating for the abandonment of such training, it’s clear that it’s like an umbrella under the ocean – woefully insufficient for the scale of the problem.

In conclusion, we must address this cyber pandemic with the seriousness it warrants. It is time to move beyond the “what can happen if people click on links?” mindset and begin treating this as the existential and societal threat that it is. The survival of our basic services and, ultimately, our society, depends on it.