Lessons From the CTS CitrixBleed Attack


A massive cybersecurity crisis happened in November 2023 when CTS, a UK-managed service provider (MSP), was affected by the CitrixBleed bug.

The CitrixBleed bug is a buffer overflow vulnerability within Citrix NetScaler or ADC applications that allows attackers to access the network. It caused data encryption and service disruptions across the entire legal sector.

What Happened in the Incident?

Threat actors exploited CitrixBleed vulnerabilities in the Citrix NetScaler ADC and Gateway applications (formerly Citrix ADC and Citrix Gateway), which let them bypass multifactor authentication and password requirements.

After initial access, this widespread exploitation led to a ransomware attack where sensitive data was encrypted.

Other effects of the attack included: 

  • Operational disruption: Access to case files and legal documents is important for communicating efficiently. When this communication was blocked off, it disrupted the firm’s operations.
  • Reputational damage: Clients were concerned about sensitive information being compromised, leading to unfortunate reputational damage that might limit future opportunities.
  • Client confidentiality and trust: Encrypting sensitive data can lock out authorised users and halt legal proceedings, which can risk client confidentiality and trust.

Attackers established ongoing sessions within the network, which only complicated things when CTS tried to respond to the breach.

Identifying the Citrix Vulnerability

Citrix identified and released a patch for the critical vulnerability in early October 2023, providing a list of which versions of NetScalar ADC or Gateway were affected:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • 12.1-FIPS NetScaler ADC before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

But, that wasn’t enough to stop the cyber attackers.

They continued their attack process on the CTS systems a month later, suggesting a massive lapse in applying these security updates.

The delay in implementing the patch points toward a broader issue within IT management. Timely updates and rigorous security protocols are usually underappreciated until a serious breach occurs, such as this one. Businesses often act when it’s too late rather than taking the necessary precautions beforehand.

Immediate Effects on Critical Infrastructure

Up to 200 law firms found themselves in a tough spot, unable to access critical case files and client data. As you’d imagine, operations almost halted entirely and property transactions could not progress. House sales and purchases around the UK were also affected, which means the attack had an impact beyond CTS and the other law firms.

It really shows the effects that a single point of failure can have on the entire IT infrastructure. Relying solely on practices like multi-factor authentication might not be enough to protect your organisation from cyber-attacks.

Widespread Impact on the Legal Sector

The sector-wide paralysis caused by the CitrixBleed attack showed the interconnectedness of the legal sector in the UK.

Property transactions, court filings, and client communications were all impacted. This incident taught an important lesson on how big a role IT infrastructure plays in the legal sector. Not only did it impact immediate legal operations, but it had a lasting impact on the trust between law firms and their clients.

The CitrixBleed ransomware encryption also led to significant operational delays and compromised legitimate user sessions, preventing law firms from proceeding with cases or transactions.

Moreover, delays experienced by clients in time-sensitive matters like property conveyancing emphasised the legal sector’s vulnerability to cyberattacks.

Ransomware red key
Ransomware has significant financial implications.

Additionally, concerns were raised about the security of sensitive client information, which is a big component of the legal industry’s ethical obligations.

Not only does it pose a risk to individual privacy, but it also shows the foundational trust upon which the legal profession is built. Businesses must implement stringent data protection measures and consider cybersecurity essential to their client duties.

Financial and Reputational Consequences

The financial implications of the CitrixBleed attack for law firms were devastating. They ranged from immediate impacts to longer-term loss of business due to operational disruptions. However, perhaps more damaging was the reputational harm suffered by these firms.

Reputation is key in the legal industry.

Even a small amount of reputational damage can lead to serious long-term consequences and short-term financial losses. Failure to protect client data will have lasting effects on a firm’s ability to attract and retain clients—certainly a situation that you don’t want your business in.

Vulnerabilities and Challenges

Many law firms (especially smaller ones) heavily rely on external MSPs for their IT needs. Often, they don’t have a clear understanding of the cybersecurity practices in place. This reliance on third parties for critical IT services introduces significant risks, as we saw from the widespread vulnerability in the legal sector from the CitrixBleed attack.

It showed the challenges businesses face when managing cybersecurity risks and complying with strict data protection rules.

The legal sector’s unique confidentiality and data protection requirements make it difficult to implement effective cybersecurity solutions.

We’ll have a look at how your business can navigate these challenges to protect sensitive client information and maintain compliance with legal standards.

Strengthening Cybersecurity Defences

It’s important to reassess your cybersecurity strategies. Since cyberattacks are continuing to become more complex and difficult to deal with, you should also stay informed about new technologies emerging that can help your business combat evolving cyber threats.

Some examples of how your business can move toward a more secure future include:

  • Adopting multi-layered security strategies
  • Conducting regular security audits
  • Ensuring all staff are trained in cybersecurity best practices

Cybersecurity threats are always evolving, so it’s important to stay vigilant and promptly respond to potential breaches. Continuous monitoring helps identify suspicious activities early, while comprehensive training ensures all staff members are aware of the latest cybersecurity threats and best practices.

We’ve seen the dangers of failing to identify any evidence of compromise quickly, so it’s important to monitor your systems closely.

In addition, a strategic approach to patch management and regular vulnerability assessments are important. These let you identify and address any security gaps before they can be exploited. Modern cloud-based vulnerability management platforms are another way to protect your business from cyberattacks.

You should also consider developing comprehensive business continuity plans that include cybersecurity threats as a core consideration.

Cybersecurity Solutions

Now that we know the dangers of the CitrixBleed attack, we’ll have a look at what your business could do to avoid being in the situation that CTS was in.

We believe the integration of LEAP Legal Software, Microsoft 365 Premium, Mimecast M3RA, and Datto SaaS Protection is the best solution to protect your business.

Here are a few reasons why we think that:

  • Easy to use: Technology and cyberattacks are becoming more advanced, and dealing with the increasing complexities of new tech is probably the last thing you want. This solution lets your business easily access emails, documents, and other important information from any device with internet access.
  • Cost-effective: Since this solution is subscription-based, you won’t need to worry about expensive infrastructure investments. You’ll be able to have a scalable and affordable backup for your Microsoft 365 data in case there’s a cyberattack or your data gets corrupted.
  • Security: Each of the software solutions has security features that will help you protect client information and comply with regulations. We mentioned the importance of protecting client information in the legal industry earlier.
  • Integration: All four of the software solutions easily integrate with each other, boosting productivity in your business. Microsoft 365 apps like Outlook and Teams work with LEAP Legal Software. Mimecast M3RA boosts email security to protect your business from phishing and data loss. If that wasn’t enough, Datto SaaS Protection provides backup and recovery solutions for any Microsoft 365 data you have.
  • Flexible and scalable: These solutions can be scaled to meet your organisation’s needs, whether that’s an increase or decrease. You won’t have to worry about physical hardware or infrastructure limitations either.

Cloud Services and Data Protection Enhancements

We also think our cloud services and data protection enhancements can help out, such as

  • Data backup solutions: We offer monitored data backup for vulnerable systems, including servers and cloud-based platforms like Microsoft 365 and Google Workspace. This adds an extra layer of security for law firms. If there’s data loss due to cyberattacks or other disasters, data backup lets you restore essential information so your business will experience minimal disruptions.
  • Hard disk encryption: Encrypting data stored on physical devices protects against data theft and unauthorized access. Our full disk encryption for workstations and servers ensures sensitive client information remains secure, even if physical devices are compromised
  • Dark web monitoring: Monitoring the dark web for leaked business credentials helps your business preemptively address potential breaches. By being alerted to login credentials being exposed, you can take immediate action to secure your accounts and prevent unauthorised access to your systems.
  • Cyber Essentials certification: We guide businesses through the Cyber Essentials certification process, which is our commitment to promoting the best practices in cybersecurity.
Cyber Essentials logos
A scheme to help your business stay protected against cyber threats.

Moving Forward

Given the impact of the CitrixBleed attack on the legal sector, it’s clear that businesses need to reconsider their approach to cybersecurity.

From comprehensive software solutions to around-the-clock monitoring and advanced data protection measures, our solutions are designed to fortify your defences and safeguard sensitive client information.

Reach out to us today to see how we can help your business avoid the situation that CTS was in November 2023.