Hospitals Urged to Secure Systems Against Citrix Bleed Cybersecurity Vulnerability

Hospitals should take immediate action to protect against the Citrix Bleed cybersecurity vulnerability, the American Hospital Association (AHA) warned, following multiple alerts by government agencies regarding the aggressive nature of this vulnerability.

Threat actors have been observed exploiting the Citrix Bleed vulnerability (CVE-2023-4966), which impacts the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) and allows threat actors to bypass password protections and multi-factor authentication.

In late November, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners issued an alert to notify critical infrastructure that the LockBit 3.0 ransomware gang had been exploiting this vulnerability.

“Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources,” CISA and its partners explained in the initial alert.

“Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks.”

The Health Sector Cybersecurity Coordination Center (HC3) has since issued its own sector alert and encouraged healthcare organizations to upgrade their systems to prevent further damage to the sector.

HC3 noted that Citrix released a patch for this vulnerability in early October, but the vulnerability was reportedly exploited as a zero-day since August 2023. Citrix also warned customers that the compromised sessions will still be active even after the patch has been implemented. The alert contained specific instructions for organizations to upgrade their devices and remove any active sessions with the following commands:

• kill aaa session -all
• kill icaconnection -all
• kill rdp connection -all
• kill pcoipConnection -all
• clear lb persistentSessions

“This urgent warning by HC3 signifies the seriousness to the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk, in the AHA’s report on the subject.

“This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems. Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season. AHA also continues to implore the federal government to utilize all available resources and authorities across all agencies to conduct law enforcement actions and offensive cyber operations against these cyber terrorists.”

The FBI, CISA, and MS-ISAC provided detailed indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) to help critical infrastructure entities defend against this vulnerability. Key recommendations include requiring phishing-resistant multi-factor authentication, disabling command-line and scripting activities and permissions, and updating Windows PowerShell or PowerShell Core to its latest version.