What Is Citrix Bleed? The Next Ransomware Patch You Need

Citrix Bleed is a software vulnerability being increasingly connected to cyber attacks, and it now appears to be putting government and critical infrastructure at risk — but the good news is that a patch is available.

The vulnerability’s name has been popping up over the past couple months in reports on key sectors. According to a post from cybersecurity researcher Kevin Beaumont, this flaw may be behind the cyber attack that disrupted swathes of credit unions earlier this week. The credit unions’ technology vendor Ongoing Operations was hit with ransomware and had failed to patch the vulnerability, he wrote. Ongoing Operations declined to confirm to Government Technology whether Citrix Bleed had been exploited.

But the health-care sector is also raising warnings. Industry group the American Hospital Association urged its membership recently to patch and defend against the vulnerability. Its message amplified the federal Health Sector Cybersecurity Coordinating Center (HC3)’s own alert. Ransomware actors also exploited it in an attack on airplane giant Boeing.

The flaw, also known as CVE 2023-4966, impacts Citrix NetScaler web application delivery control and NetScaler Gateway appliances. Federal officials and partners turned a spotlight on the vulnerability and issued a joint advisory, giving advice and details, including indicators of compromise; observed tactics, techniques and procedures; and detection methods.

Advisory authors include the Cybersecurity and Infrastructure Security Agency, FBI, Multi-State Information Sharing and Analysis Center and Australia’s lead cybersecurity agency, the Australian Signals Directorate’s Australian Cyber Security Centre.

At least one group of threat actors has been identified exploiting Citrix Bleed: affiliates deploying LockBit 3.0 ransomware. LockBit affiliates have in the past targeted organizations in critical infrastructure sectors, including government and emergency services, health care, financial services, energy, education, food and agriculture, manufacturing and transportation, per the joint advisory.

Hackers exploiting Citrix Bleed can “bypass password…