HHS warns of ‘Citrix Bleed’ attacks after hospital outages

The U.S. Department of Health and Human Services is warning hospitals and healthcare facilities across the country to patch a vulnerability known as “Citrix Bleed” that is being used in attacks by ransomware gangs.

For weeks, cybersecurity experts and the leading cyber defense agencies across the globe have released stark warnings about cybercriminals and nation-states abusing the vulnerability, tracked as CVE-2023-4966.

The vulnerability affects Citrix’s NetScaler ADC and NetScaler Gateway appliances, which are used by companies to manage network traffic. It has already been used to launch attacks against several companies including Toyota and Boeing.

On Thursday, the department’s Health Sector Cybersecurity Coordination Center (HC3) warned hospitals that the Citrix Bleed vulnerability is being actively exploited and urged organizations to upgrade to prevent further damage to the sector.

“Citrix released a patch for this vulnerability in early October, but it has been reported that the vulnerability was being exploited as a zero-day since August 2023,” HC3 said.

“The manufacturer has also warned that these compromised sessions will still be active after a patch has been implemented.”

The advisory links to several guides from the Cybersecurity and Infrastructure Security Agency (CISA) and Netscaler providing information on how hospitals can protect themselves.

Last week, Boeing partnered with the FBI and CISA to release an outline of how it was attacked through Citrix Bleed in the hopes that it would help other companies protect themselves. A unit of their business was attacked by the LockBit ransomware gang.

Meanwhile, two major hospital networks dealt with ransomware attacks this week causing widespread issues, although neither incident has been explicitly tied to Citrix Bleed.

Hospitals in New Jersey and Pennsylvania are still dealing with issues after Capital Health said it is experiencing network outages because of a cybersecurity incident. The hospital network was forced to cancel appointments and reschedule elective surgeries due to the attack.

That attack came days after Ardent Health Services — which operates 37 healthcare facilities across the U.S — reported widespread issues due to a ransomware attack on its systems.

Those hospitals were forced to divert ambulances to other facilities, causing critical delays that for many can mean the difference between life and death.

In August, 16 hospitals run by Prospect Medical Holdings spent weeks recovering from a ransomware attack that caused severe outages at facilities in four states.

Attacks involving Citrix Bleed began in August, according to the advisory and previous reports from Google security firm Mandiant.

Despite a security bulletin from Citrix in October rating the bug a 9.4 out of 10 on the CVSS severity scale, research tool ShadowServer shows that thousands of instances where the tool is used were still vulnerable to the issue as of November 2, with nearly 2,000 in North America alone. CISA ordered all federal civilian agencies to patch the bug on October 18 and gave a deadline of November 8.

Earlier this month, cybersecurity expert Kevin Beaumont said at least two ransomware gangs are now attempting to exploit the vulnerability in attacks, while Mandiant found four different groups attempting exploitation.

“This urgent warning by HC3 signifies the seriousness of the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems,” said John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk.

“This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems. Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season.”