Researchers have found an expansive and active threat campaign that exploited a severe Citrix NetScaler vulnerability to backdoor thousands of devices, including those that were subsequently patched.
Attackers automated the exploitation of the remote code execution vulnerability, tracked as CVE-2023-3519, to place web shells on vulnerable devices. These were found to persist through patches and reboots.
Approximately 69% of the backdoored NetScalers were no longer vulnerable to CVE-2023-3519 at the time of their discovery, prompting researchers to warn administrators who have already dealt with the Citrix patch not to be lulled into a false sense of security.
The campaign was brought to light by NCC Group and its subsidiary Fox-IT, in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD).
Both organizations had been looking into Citrix’s NetScaler Gateway vulnerabilities to establish evidence of exploitation in the wild, which led them to uncover dormant web shells.
In response, the two collaborated on a scan of internet-exposed NetScalers.
Researchers had initially limited their focus to devices that had not been patched at the time of Citrix’s initial disclosure, but upon widening the scan to include patched devices were shocked to discover more than 2,000 IP addresses that had been backdoored with the web shell.
The campaign is believed to have been launched between 20 and 21 July, at which time approximately 31,127 NetScalers were still vulnerable to CVE-2023-3519.
NCC Group stated that as of 14 August, 1,828 NetScalers still contained backdoors out of a total 1,952 devices that the teams identified as compromised.
RELATED RESOURCE
Help your organization ensure operational resilience by identifying nine best practices for building and maintaining it across the enterprise.
The DIVD reached out to affected organizations starting on 10 August. Devices in Germany, France, and Switzerland ranked the highest for compromise out of the affected countries, with the vast majority of NetScalers that were backdoored being located in Europe.
Citrix issued a bulletin in July in which it disclosed three vulnerabilities affecting NetScaler Gateway and ADC products. The firm urged customers with affected devices to install the latest updates.
CVE-2023-3519 was the worst of the three, carrying a near-maximum CVSSv3 score of 9.8 and allowing hackers to perform remote code execution.
NCC Group advised admins to perform a vigorous scan of the known indicators of compromise (IOCs) on their NetScaler devices even if they had applied the July patch.
Fox-IT has made a Python script for performing triage on NetScalers publicly available via its GitHub repository, and Mandiant has similarly published a bash script that checks for IOCs.
Researchers advised IT teams to treat any evidence of the web shell having been used with the utmost seriousness and recommended that in this circumstance a wider investigation should be undertaken to rule out lateral attacks throughout an organization’s IT environment.
ITPro has approached Citrix for more information.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Citrix Bleed an “early Christmas present” for hackers as flaw claims latest victimNews Xfinity is the latest firm to fall victim to the Citrix Bleed vulnerability
-
Citrix Bleed remains out of control with thousands of appliances still vulnerableNews Thousands of organizations at risk of Citrix Bleed have still not patched, analysis suggests
-
What is Citrix Bleed and should you be worried?News A critical buffer over-read can expose sensitive information in affected devices
-
Citrix discloses critical NetScaler Gateway vulnerabilityNews Users of affected products have been urged to implement patches immediately to mitigate risk
-
Citrix patches XenMobile vulnerabilityNews Positive Technologies spots serious flaw in Citrix XenMobile
-
Hackers are taking advantage of Citrix vulnerabilitiesNews Hackers discovered targeting corporate networks impacted by Citrix vulnerabilities
-
Citrix Synergy 2019: One year on GDPR is shaping the role of privacy in brand survivalIn-depth Despite big fines levied, Citrix’s privacy chief says we still don’t have a sense of what enforcement will look like
-
Security takes pride of place at Citrix Synergy 2017News ‘Software-defined perimeter’ will help organisations ensure the security of their networks
