A Managed Service Provider (MSP) which supplies hundreds of UK law firms with software has been the victim of a cyber attack which has rendered its customers unable to access its case files.
CTS is “urgently investigating” the cyber attack which struck on Wednesday (22nd November), apparently via the Citrixbleed vulnerability.
CTS has offices in Daresbury in Cheshire, Farringdon in London, and Whitby in New Zealand and ironically offers a cyber protection service for the legal profession as one of its services.
A notice which was posted on the company website on Friday states that the company had suffered an IT outage caused by a cyber-incident and that the company was working with a leading global cyber forensics firm to help recover systems.
Wide spread impact
The attack on CTS has the potential impact to thousands of homebuyers, because the law firms affected by the outage cannot complete the relevant processes to allow legal transfer of deed ownership.
Rob Hailstone, chief executive of Bold Legal Group, which runs a forum for 1,700 conveyancers, said the outage has the potential to affect thousands of home moves.
Mr Hailstone said: “Some firms that should be completing can’t, so notices to complete are being served. Some people could end up in hotels or elsewhere.”
Customers could make claims for losses as a result of breaches of contract, he added.
Approximately 40% of CTS’s 200 or so clients are understood to have been affected by the outage.
A director at one affected law firm said that “People found they couldn’t access the networks and the IT cloud where their account management systems were based. You’re effectively not able to work.”
While some firms have been entirely locked out of their email accounts, others have had enough access to be able to manually process exchanges and completions. “We have had staff working 12-hour days these last three days to process about 30 to 40 completions manually,” the director said.
Many home movers will be affected even if their own solicitor does not use CTS software because their buyer or seller’s solicitor may have been hit, or because the outage may have affected deals in their property chain.
CitrixBleed
CitrixBleed, which is tracked as CVE-2023-4966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances which gives threat actors the capability to bypass Multi Factor Authentication (MFA) and hijack legitimate user sessions.
After acquiring access to valid cookies, threat actors can establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens.
Cookies are acquired by sending an HTTP GET request with a specially crafted HTTP Host header, leading to a vulnerable appliance returning system memory information. The information obtained can contain a valid NetScaler AAA session cookie.
Exploitation activity of this vulnerability has been identified as early as August 2023 – Citrix publicly disclosed CVE-2023-4966 on the 10th October within their Citrix Security Bulletin.
Citirxbleed has become a popular avenue of attack for LockBit affiliates, and whilst it is highly likely that the attack on CTS is yet another LockBit success, at the time of writing, no data relating to CTS is visible on the LockBit dark web site.