Concern is growing as ransomware groups ramp up exploitation of a critical vulnerability in NetScaler ADS (formerly Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, dubbed Citrix Bleed.

Citrix issued a security advisory about the vulnerability on October 10, 2023, and issued a patch to correct the flaw, which can be exploited to bypass password protection and multifactor authentication. The buffer overflow vulnerability is tracked as CVE-2023-4966 and has a CVSS severity score of 9.4 out of 10. The vulnerability appears to have been exploited in the wild since August 2023. The vulnerability is easy to exploit and allows threat actors to take over legitimate user sessions. Once initial access has been gained, threat actors can elevate privileges, harvest credentials, move laterally, and access sensitive data and resources.

The vulnerability affects the following NetScaler ADC and Gateway versions:

• NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
• NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
• NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers still using these versions should upgrade their appliances to one of the supported versions.

On October 18, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog, and a security advisory about the flaw was issued on November 21, 2023, as it became clear that the vulnerability was being exploited more widely, including by the LockBit 3.0 ransomware group in attacks on critical infrastructure.

On November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an urgent security advisory to the healthcare and public health (HPH) sector about the flaw along with a further advisory on November 30, 2023, urging healthcare organizations to patch the vulnerability as soon as possible to protect against exploitation. Applying the patch will prevent the vulnerability from being exploited; however, if it has already been exploited, the compromised sessions will remain active. Steps must therefore also be taken to ensure all active sessions are removed.

To remove active and persistent sessions after the patch has been applied, admins should run the following commands:

• kill aaa session -all
• kill icaconnection -all
• kill rdp connection -all
• kill pcoipConnection -all
• clear lb persistentSessions

Steps should also be taken to investigate potential exploits of the vulnerability. NetScaler has issued guidance for investigations and CISA has published Indicators of Compromise associated with LockBit 3.0 along with the tactics, techniques, and procedures (TTPs) used by the group and mitigation steps for defending against ransomware attacks.

The American Hospital Association has recently issued a security advisory urging hospitals to take immediate action to protect against exploitation of the Citrix Bleed vulnerability, given that hospitals are prime targets for ransomware groups. “This urgent warning by HC3 signifies the seriousness of the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems.  Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season.”

The post Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks appeared first on HIPAA Journal.