Feds, AHA Urge Hospitals to Mitigate Citrix Bleed Threats

A recent spike in ransomware attacks has prompted federal regulators and the American Hospital Association to issue urgent warnings to hospitals and other healthcare firms to prevent potential exploitation of the Citrix Bleed software flaw affecting certain NetScaler ADC and NetScaler Gateway devices.

See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM

The alert on Nov. 30 from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center and a warning on Friday from the AHA come as a wave of ransomware attacks suspected to involve Citrix Bleed exploitation have hit organizations in the healthcare sector, as well as in other sectors in recent weeks (see: Amid Citrix Bleed Exploits, NetScaler Warns: Kill Sessions).

“HC3 strongly urges organizations to upgrade to prevent further damage against the healthcare and public health sector,” the HHS agency warned.

The urgency of HHS’s alert “signifies the seriousness” of the Citrix Bleed vulnerability and the critical need to deploy existing Citrix patches and upgrades to secure healthcare IT systems, said John Riggi, national adviser for cybersecurity and risk at AHA, in the association’s warning.

“This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems,” Riggi said. “Ransomware attacks disrupt and delay healthcare delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cybercriminals will continue to target the field, especially during the holiday season.”

The Citrix Bleed vulnerability, which is tracked as CVE-2023-4966, has been the subject of earlier government alerts, including a joint warning on Nov. 21 from the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center regarding exploitation by the Russian-speaking ransomware group LockBit 3.0 and its affiliates.

The next day, HHS HC3 issued its first alert about Citrix Bleed, warning of ransomware attacks by LockBit 3.0 targeting entities in the healthcare and public health sector.

Holiday Spike?

NetScaler issued a bulletin about the vulnerability in October and subsequently warned about the flaw again in late November, saying there had been reports of “a sharp increase in attempts” to exploit the vulnerability in unpatched NetScaler ADCs.

Exploitation of the vulnerability enables cyberthreat actors to bypass password requirements and multifactor authentication measures, the AHA warned.

HHS HC3 in its latest alert said the vulnerability has repeatedly been exploited since August. While Citrix released a patch for the vulnerability in early October, already-compromised sessions will still be active after a patch has been implemented, the vendor warned.

HC3 is encouraging all administrators to follow NetScaler’s guidance to upgrade their devices and remove or “kill” any active or persistent sessions with certain specific commands.

Since Thanksgiving, cybercriminals have hit at least two U.S. hospital groups with cyberattacks that disrupted some patient healthcare services – Ardent Health Services based in Tennessee and Capital Health in New Jersey.

Neither organization has publicly confirmed whether exploitation of Citrix Bleed was involved.

Some experts predict cyberattacks on the healthcare sector will only continue to surge in the weeks ahead.

“Cybercriminals use the holiday to seek out vulnerable systems to exploit and to take advantage of reduced workforce to disrupt the critical networks and systems belonging to organizations, businesses and critical infrastructure,” said Carter Groome, founder and CEO of consultancy First Health Advisory.

“These actors have found that deploying cyberattacks during holidays makes recovery and response much more difficult. Not only do health entities lack the resources, companies hit during the holidays are left scrambling to pull together their incident response team,” he said.

“When the CEO is sitting down to a holiday meal or legal counsel is on vacation, recovery efforts are easily hampered.”