Ransomware groups are exploiting a critical vulnerability identified in NetScaler ADS (earlier known as Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, referred to as Citrix Bleed.
On October 10, 2023, Citrix released a security alert concerning the vulnerability and made a patch available to resolve the vulnerability, which could be used to get around multifactor authentication and password protection. This buffer overflow vulnerability, which is monitored as CVE-2023-4966, has an assigned CVSS severity score of 9.4 out of 10. Since August 2023, the vulnerability has been exploited in the wild. Threat actors can exploit the vulnerability and control legitimate user sessions. As soon as preliminary access is acquired, threat actors could change privileges, collect credentials, move laterally, and gain access to sensitive information and assets.
The vulnerability impacts these versions of NetScaler ADC and Gateway:
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later versions of 12.1-NDcPP
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later versions of 12.1-FIPS
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later versions of 13.1-FIPS
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later versions of 13.0
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later versions of 13.1
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later versions
NetScaler ADC and NetScaler Gateway version 12.1 are already End-of-Life (EOL). Users still utilizing these versions need to update their devices to one of the accepted versions.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) already included the vulnerability in its catalog of Known Exploited Vulnerabilities on October 18, 2023. It issued a security alert concerning the vulnerability on November 21, 2023. This is because the vulnerability had been exploited more widely by ransomware groups such as the LockBit 3.0 ransomware group.
On November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) released an important security alert to the healthcare and public health (HPH) sector concerning the vulnerability together with an additional alert on November 30, 2023, telling healthcare providers to apply the patch to the vulnerability immediately to safeguard against exploitation. Using the patch will prevent vulnerability exploitation; nonetheless, if it was already exploited, the breached sessions will continue to be active. The customer must take action to be sure to remove all active sessions.
To take away active and running sessions after applying the patch, admins need to execute these commands:
- kill icaconnection -all
- kill aaa session -all
- kill pcoipConnection -all
- kill rdp connection -all
- clear lb persistentSessions
The user should also look into possible exploits of the vulnerability. NetScaler has released guidance for inspections and CISA has released Indicators of Compromise related to LockBit 3.0 together with the tactics, techniques, and procedures (TTPs) employed by the group and mitigation guidelines for protecting against ransomware attacks.
The American Hospital Association has released a security alert telling hospitals to take the necessary action immediately to prevent the Citrix Bleed vulnerability exploitation, considering that ransomware groups are primarily targeting hospitals. This important alert by HC3 indicates the urgency of the Citrix Bleed vulnerability and the immediate need to set up the current Citrix patches and upgrades to protect systems as advised by John Riggi, the national advisor for cybersecurity and risk of AHA. This problem likewise shows the aggressiveness of foreign ransomware groups, mainly Russian-speaking groups, in continuously attacking hospitals and healthcare systems. Ransomware attacks disturb and slow down the provision of medical care, putting patient lives at risk. Healthcare providers must stay alert and strengthen their cyber defenses, since it is obvious that cybercriminals will keep targeting the field, particularly throughout the holiday season.