Hospitals are being strongly cautioned by the U.S. Department of Health and Human Services (HHS) to promptly address the critical vulnerability known as ‘Citrix Bleed’ in Netscaler, which is currently being actively exploited by ransomware gangs. This vulnerability, identified as CVE-2023-4966, is being leveraged by attackers to infiltrate hospital networks, bypassing login requirements and multifactor authentication measures.
On Thursday, the Health Sector Cybersecurity Coordination Center (HC3), a component of the HHS security team, released a sector-wide alert with a specific focus on U.S. healthcare entities. The alert emphasizes the urgency for these entities to secure their NetScaler ADC and NetScaler Gateway devices promptly to thwart ongoing attacks by ransomware groups.
According to HC3, the Citrix Bleed vulnerability is actively being exploited, necessitating immediate upgrades to prevent further harm to the Healthcare and Public Health (HPH) sector. The advisory contains crucial information on detecting and mitigating the vulnerability, urging users and administrators to adhere to recommended actions and upgrade their devices promptly.
Citrix had previously issued two warnings, urging administrators to patch their appliances urgently. They emphasized the importance of terminating all active and persistent sessions to prevent attackers from stealing authentication tokens, even after applying security updates.
Recent alerts from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have also highlighted the involvement of the LockBit ransomware gang in exploiting the Citrix Bleed vulnerability. Boeing, a notable victim, shared insights into how a LockBit affiliate breached its network using this exploit.
Kevin Beaumont, a cybersecurity expert, has been monitoring and analyzing cyberattacks globally, identifying Citrix Bleed exploits in breaches against various organizations, including Boeing, the Industrial and Commercial Bank of China (ICBC), DP World, and Allen & Overy.
Beaumont disclosed that a U.S.-based managed service provider (MSP) fell victim to a ransomware attack exploiting the Citrix Bleed vulnerability over a week ago. The MSP is actively working to secure its vulnerable Netscaler appliances to prevent further exposure of its clients’ networks and data to potential attacks.
While Citrix released a patch for the flaw in early October, Mandiant later revealed that the vulnerability had been actively exploited as a zero-day since at least late August 2023. A proof-of-concept exploit for CVE-2023-4966 was also released by AssetNote on October 25, demonstrating how session tokens could be stolen from unpatched Citrix appliances.
In mid-November, Japanese threat researcher Yutaka Sejiyama reported that over 10,000 Citrix servers, many belonging to critical organizations worldwide, remained vulnerable to Citrix Bleed attacks more than a month after the patch was released.
John Riggi, a cybersecurity and risk advisor for the American Hospital Association, emphasized the gravity of the situation, stating that HC3’s urgent warning underscores the critical nature of the Citrix Bleed vulnerability and the immediate need to deploy patches and upgrades. Riggi also highlighted the aggressive targeting of hospitals and health systems by foreign ransomware gangs, particularly Russian-speaking groups, posing a significant threat to healthcare delivery and patient safety.
CyberSec84 | Cybersecurity news. 
Leave a comment