Comcast Cable Communications, the largest media and telecommunications conglomerate in the United States, disclosed a major data breach involving personal data belonging to 35,879,455 customers of its Xfinity services, including TV, Internet, and home phone. The breach was caused by attackers exploiting a vulnerability in Citrix hardware known as Citrix Bleed.
The attackers stole usernames, hashed passwords, full names, contact information, date of birth, secret questions and answers, and the last four digits of Social Security numbers. Comcast confirmed the breach on November 16 and began notifying affected customers on December 6 via email, the Xfinity website, and the media. The company is continuing its data analysis and will provide further updates as needed.
The breach was traced back to unauthorized access to internal systems between October 16 and 19, resulting from the Citrix vulnerability. Comcast quickly patched the vulnerability following a security alert and patch issued by Cloud Software Group, which includes NetScaler and Citrix as business units.
The issue for Comcast and other affected organizations is that simply patching the vulnerability did not fully mitigate the risks raised by the defect. Google Cloud’s Mandiant incident response group discovered hackers had exploited the vulnerability since late August to hijack existing authenticated sessions, bypassing multi-factor authentication.
Mandiant advised organizations to not only apply the patch but also end all active sessions and review logs for signs of compromise. Cloud Software Group later issued updated mitigation guidance to invalidate previous sessions when installing the patch.
Security researchers observed widespread exploitation of the Citrix Bleed flaw by attackers, including ransomware and nation-state hacking teams. The US Cybersecurity and Infrastructure Security Agency, the FBI, and the Australian Cyber Security Center published a joint advisory detailing threat indicators shared by aerospace giant Boeing, which was targeted by the LockBit ransomware group using a Citrix Bleed exploit.
The attacks are ongoing, with nearly 420 IP addresses being used to launch attacks attempting to exploit the Citrix vulnerability. The incident highlights the importance of not only patching vulnerabilities but also taking additional steps to secure systems and prevent unauthorized access to sensitive data.
Article Source
https://www.bankinfosecurity.com/comcast-ties-breach-affecting-36m-customers-to-citrix-bleed-a-23936