HHS warns of ‘Citrix Bleed’ attacks after hospital outages


The U.S. Department of Health and Human Services is warning hospitals and healthcare facilities across the country to patch a vulnerability known as “Citrix Bleed” that is used in ransomware gang attacks.

For weeks, cybersecurity experts and leading cyber defense agencies around the world issued severe warnings on cybercriminals and nation states abusing the vulnerability, tracked as CVE-2023-4966.

The vulnerability affects Citrix’s NetScaler ADC and NetScaler Gateway appliances, which are used by enterprises to manage network traffic. It has already been used to launch attacks against several companies including Toyota And Boeing.

On Thursday, the health department’s Cybersecurity Coordination Center (HC3) hospitals have been notified that the Citrix Bleed vulnerability is being actively exploited and urged organizations to upgrade to avoid further damage to the industry.

“Citrix released a patch for this vulnerability in early October, but the vulnerability was reported to have been exploited as a zero-day since August 2023,” HC3 said.

“The manufacturer also warned that these compromised sessions will remain active after a patch is implemented.”

The advisory links to several guides from the Cybersecurity and Infrastructure Security Agency (CISA) and Netscaler providing information on how hospitals can protect themselves.

Last week, Boeing teamed up with the FBI and CISA to post an overview of how it was attacked via Citrix Bleed in the hope that this would help other businesses protect themselves. A unit of their company was attacked by the LockBit ransomware gang.

Meanwhile, two large hospital networks faced ransomware attacks this week, causing widespread problems, although neither incident was explicitly linked to Citrix Bleed.

Hospitals in New Jersey and Pennsylvania still face problems after Capital Health said it is experiencing network outages due to a cybersecurity incident. The hospital network was forced to cancel appointments and reschedule elective surgeries due to the attack.

This attack came days after Ardent Health Services – which operates 37 healthcare facilities across the United States – reported widespread problems due to a ransomware attack on its systems.

These hospitals have been forced to reroute their ambulances to other facilities, causing critical delays that, for many people, can mean the difference between life and death.

As of August, 16 hospitals managed by Prospect Medical Holdings I spent weeks recovering of a ransomware attack that caused severe outages at facilities in four states.

The attacks involving Citrix Bleed began in August, according to the advisory and previous reports from security company Google Mandiant.

Despite a safety bulletin from Citrix in October, giving the bug a rating of 9.4 out of 10 on the CVSS severity scale, ShadowServer search tool shows that thousands of use cases of the tool were still vulnerable to the issue as of November 2, including nearly 2,000 in North America alone. LPCC order all federal civilian agencies must fix the bug on October 18 and have set the deadline for November 8.

Earlier this month, a cybersecurity expert Kevin Beaumont said at least two ransomware gangs are now trying to exploit the attack vulnerability, while Mandiant found four different groups attempting to exploit.

“This urgent warning from HC3 signifies the severity of the Citrix Bleed vulnerability and the urgent need to deploy existing Citrix patches and upgrades to secure our systems,” said John Riggi, American Hospital Association national advisor for cybersecurity. and risks.

“This situation also demonstrates the aggressiveness with which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and healthcare systems. Ransomware attacks disrupt and delay healthcare delivery, putting patients’ lives at risk. We must remain vigilant and strengthen our cyber defenses, as there is no doubt that cybercriminals will continue to target the domain, especially during the holiday season.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Share This Article
Leave a comment