U.S. Health Department Urges Hospitals to Address Critical Citrix Bleed Vulnerability
TeamHood
2 min read
The U.S. Department of Health and Human Services (HHS) issued a warning to hospitals this week, urging them to address the critical ‘Citrix Bleed’ Netscaler vulnerability that is actively exploited in attacks.
Ransomware groups have already seized upon Citrix Bleed, identified as CVE-2023-4966, to infiltrate the networks of their targets by bypassing login requirements and multifactor authentication safeguards.
HHS’ security team, the Health Sector Cybersecurity Coordination Center (HC3), released a sector alert on Thursday, calling on all U.S. healthcare organizations to secure their vulnerable NetScaler ADC and NetScaler Gateway devices against the ongoing ransomware attacks.
“The Citrix Bleed vulnerability is currently being actively exploited, and HC3 strongly advises organizations to update to prevent further harm to the Healthcare and Public Health (HPH) sector. This alert includes information on detecting and mitigating the vulnerability,” cautioned HC3.
“HC3 strongly recommends that users and administrators review these suggested actions and upgrade their devices to prevent significant damage to the HPH sector.”
Prior to this, Citrix issued two warnings, instructing administrators to promptly patch their appliances. Citrix also emphasized the need to terminate all active and persistent sessions to thwart attackers from pilfering authentication tokens, even after installing security updates.
Recently, both CISA and the FBI warned about the LockBit ransomware gang’s involvement in these attacks. Aerospace giant Boeing, one of their victims, shared details on how a LockBit affiliate breached its network in October using a Citrix Bleed exploit.
Cybersecurity expert Kevin Beaumont, tracking cyberattacks globally, discovered that various victims, including Boeing, the Industrial and Commercial Bank of China (ICBC), DP World, and Allen & Overy, were likely compromised through Citrix Bleed exploits.
Beaumont disclosed that a U.S.-based managed service provider (MSP) fell victim to a ransomware attack by a group exploiting a Citrix Bleed vulnerability over a week ago. The MSP is currently working to secure its vulnerable Netscaler appliances, which could potentially expose its clients’ networks and data to further attacks.
Although Citrix patched the flaw in early October, Mandiant later revealed that it had been actively exploited as a zero-day since at least late August 2023.
On October 25, external attack surface management company AssetNote released a proof-of-concept exploit for CVE-2023-4966, demonstrating how session tokens could be stolen from unpatched Citrix appliances.
In mid-November, Japanese threat researcher Yutaka Sejiyama reported that over 10,000 Citrix servers, many belonging to critical organizations in various countries, remained vulnerable to Citrix Bleed attacks more than a month after the critical flaw was patched.
John Riggi, a cybersecurity and risk advisor for the American Hospital Association, emphasized the gravity of the Citrix Bleed vulnerability and the urgent need for deploying existing Citrix patches and upgrades to secure systems. Riggi also highlighted the aggressive targeting of hospitals and health systems by foreign ransomware groups, primarily Russian-speaking, emphasizing the disruptive impact on healthcare delivery and the potential danger to patient lives.
