On Thursday, the department’s security team, Health Sector Cybersecurity Coordination Center (HC3), issued an alert where it urged all U.S. healthcare businesses to protect their NetScaler ADC and NetScaler Gateway equipment from ransomware gang invasions.
"The Citrix Bleed vulnerability is being actively exploited, and HC3 strongly urges organizations to upgrade to prevent further damage against the Healthcare and Public Health (HPH) sector. This alert contains information on attack detection and mitigation of the vulnerability,” the alert read.
"HC3 strongly encourages users and administrators to review these recommended actions and upgrade their devices to prevent serious damage to the HPH sector."
Prior to the aforementioned warning, Citrix had already issued two warnings urging admins to patch their appliances in priority. It also urged administrators to terminate all open and persistent sessions. Moreover, in order to stop hackers from obtaining authentication tokens even after the security upgrades have as well been installed.
Thousands of Servers Exposed, Many Already Breached
Cybersecurity professional Kevin Beaumont has been monitoring and analyzing cyberattacks against a variety of targets throughout the globe, such as Boeing, DP World, Allen & Overy, and the Industrial and Commercial Bank of China (ICBC), and he discovered that these targets were probably all compromised through the use of Citrix Bleed exploits.
On Friday, Beaumont revealed that the U.S.-based managed service provider (MSP) experienced a ransomware attack by a threat group, that has exploited a Citrix Bleed vulnerability a week earlier.
The MSP continues to work on securing its susceptible Netscaler appliances, which may leave its clients' networks and data open to additional intrusions.
The vulnerability was fixed by Citrix in early October, but Mandiant subsequently discovered that it has been actively exploited as a zero-day since at least late August of 2023.
AssetNote, an external attack surface management company, on October 25, released a CVE-2023-4966 proof-of-concept exploit explaining how session tokens can be accessed by cybercriminals from Citrix appliances that has not been patched.
According to Japan-based threat researcher Yukata Sejiyama, over 10,000 Citrix servers – many of which belonged to some important organizations globally – were still susceptible to Citrix Bleed attacks more than a month after the critical flaw was patched.
"This urgent warning by HC3 signifies the seriousness to the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems," said John Riggi, a cybersecurity and risk advisor for the American Hospital Association, a healthcare industry trade group that represents 5,000 hospitals and healthcare providers across the U.S.
According to Riggi, this case also highlights the ferocity with which ‘foreign ransomware gangs,’ (majorly the Russian-speaking groups), continue to attack medical facilities and other healthcare institutions. Ransomware attacks interrupt and delay health care delivery, placing patient lives in danger.