US Health Dept urges hospitals to patch critical Citrix Bleed bug

Citrix Bleed


The U.S. Department of Health and Human Services (HHS) warned hospitals this week to patch the critical 'Citrix Bleed' Netscaler vulnerability actively exploited in attacks.


Ransomware gangs are already using Citrix Bleed (tracked as CVE-2023-4966) to breach their targets' networks by circumventing login requirements and multifactor authentication protections.


HHS' security team, the Health Sector Cybersecurity Coordination Center (HC3), issued a sector alert on Thursday urging all U.S. healthcare organizations to secure vulnerable NetScaler ADC and NetScaler Gateway devices against ransomware gangs' attacks.


"The Citrix Bleed vulnerability is being actively exploited, and HC3 strongly urges organizations to upgrade to prevent further damage against the Healthcare and Public Health (HPH) sector. This alert contains information on attack detection and mitigation of the vulnerability," HC3 warned.


"HC3 strongly encourages users and administrators to review these recommended actions and upgrade their devices to prevent serious damage to the HPH sector."


Before this, Citrix issued two warnings asking admins to immediately patch their appliances. It also reminded admins to kill all active and persistent sessions to prevent attackers from stealing authentication tokens even after installing the security updates.


Recently, CISA and the FBI also cautioned about the LockBit ransomware gang joining the attacks. One of their victims, aerospace giant Boeing, shared details on how a LockBit affiliate breached its network in October using a Citrix Bleed exploit.


Thousands of servers exposed, many already breached


Cybersecurity expert Kevin Beaumont has been tracking and analyzing cyberattacks against various victims worldwide, including Boeing, the Industrial and Commercial Bank of China (ICBC), DP World, and Allen & Overy, and found they were all likely breached using Citrix Bleed exploits.


Beaumont revealed on Friday that a U.S.-based managed service provider (MSP) suffered a ransomware attack by a group exploiting a Citrix Bleed vulnerability over a week ago.


The MSP is still working to secure its vulnerable Netscaler appliances, which could potentially expose its clients' networks and data to further attacks.


Citrix Bleed US MSP


​Citrix patched the flaw in early October, but Mandiant later revealed that it has been under active exploitation as a zero-day since at least late August 2023. 


On October 25, external attack surface management company AssetNote released a CVE-2023-4966 proof-of-concept exploit showing how session tokens can be stolen from unpatched Citrix appliances.


In mid-November, Japanese threat researcher Yutaka Sejiyama told BleepingComputer that over 10,000 Citrix servers (many of them belonging to critical organizations in many countries) were still vulnerable to Citrix Bleed attacks, more than one month after the critical flaw was patched.


"This urgent warning by HC3 signifies the seriousness to the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems," said John Riggi, a cybersecurity and risk advisor for the American Hospital Association, a healthcare industry trade group that represents 5,000 hospitals and healthcare providers across the U.S.


"This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems. Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger."