December 2, 2023 at 11:54AM
The HHS alerted U.S. healthcare organizations to patch the ‘Citrix Bleed’ vulnerability (CVE-2023-4966), as it’s actively exploited by ransomware gangs, bypassing security controls. Citrix and federal agencies urged immediate action. Despite a fix released in October, over 10,000 servers remain at risk, threatening the Health sector.
Meeting Takeaways:
1. **Urgent Vulnerability Alert**: The HHS has warned hospitals of the ‘Citrix Bleed’ Netscaler vulnerability (CVE-2023-4966), which is being actively exploited by ransomware gangs.
2. **Immediate Action Required**: Healthcare organizations across the U.S. are urged by the HC3 to update NetScaler ADC and NetScaler Gateway devices to protect against ransomware attacks.
3. **Ongoing Exploits**: Ransomware groups are breaching networks using Citrix Bleed by bypassing login and multifactor authentication, with aerospace giant Boeing being among the victims.
4. **Sector Alert Issued**: HC3 has issued an alert with information on detecting and mitigating the Citrix Bleed vulnerability, urging for upgrades to secure the HPH sector.
5. **Past Warnings from Citrix**: Citrix had previously issued warnings for admins to patch their systems and advised killing all active sessions to block attackers from using authentication tokens post-update.
6. **Warnings from CISA and FBI**: These agencies have also warned about the LockBit ransomware group capitalizing on the vulnerability.
7. **Widespread Exploitation Recorded**: Kevin Beaumont reported breaches across multiple organizations, including the Industrial and Commercial Bank of China and Allen & Overy, linked to Citrix Bleed exploits.
8. **Managed Service Provider (MSP) Attack**: A U.S.-based MSP was recently hit by a ransomware attack leveraging Citrix Bleed, leading to potential risks to its clients.
9. **Citrix Patch Availability**: The vulnerability was patched by Citrix in early October, but exploitation had begun as early as late August 2023.
10. **Proof of Concept Released**: AssetNote published a proof of concept for CVE-2023-4966, demonstrating the exploit on unpatched systems.
11. **Thousands at Risk**: Over 10,000 Citrix servers remain vulnerable to the Citrix Bleed attacks even after the patch availability.
12. **Industry Concern**: John Riggi of the American Hospital Association emphasizes the critical nature of this vulnerability and the risk it poses to healthcare systems by foreign ransomware groups, primarily Russian-speaking.
The core directive from this meeting is for all U.S. healthcare organizations to urgently patch the identified vulnerabilities in Citrix systems to mitigate the risk posed by active exploitation of Citrix Bleed and to ensure the safeguarding of the healthcare industry’s cyber infrastructure.