Mass-Exploitation Campaign Targets Citrix NetScalers With Backdoors

Written by

A widespread cyber-attack targeting thousands of Citrix NetScalers has been unveiled by cybersecurity firm Fox-IT (part of NCC Group) in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD).

The campaign involved exploiting a critical vulnerability, CVE-2023-3519, which allowed malicious actors to infiltrate and compromise vulnerable NetScalers, even after patches and reboots.

Describing the threat in an advisory published on Tuesday, NCC Group said the scale of the attack became evident as over 1900 NetScalers were found to be still backdoored at the time of discovery.

The attackers employed automated methods to place web shells onto compromised systems, granting them persistent access and the ability to execute arbitrary commands. Despite efforts to apply patches and updates, only half of the compromised NetScalers had been successfully updated to fix the vulnerability.

The vulnerability itself was disclosed on July 18, following reports of limited exploitation by various security organizations. This prompted a joint effort by Fox-IT and DIVD to identify compromised systems and initiate responsible disclosure notifications. 

Read more on these events: Thousands of Citrix Servers Exposed to Zero-Day Bug

In the new advisory, NCC Group revealed that the compromised NetScalers were spread across different countries, with the majority located in Europe. However, a notable portion remained untouched in countries like Canada, Russia and the United States.

In response, Fox-IT and DIVD released recommendations for NetScaler administrators to assess the security of their systems. The suggestions include performing Indicator of Compromise (IoC) checks, utilizing provided tools like Python scripts for forensic analysis and investigating possible unauthorized activities if a web shell is detected.

The incident highlights the ongoing challenge of securing edge devices such as NetScalers, as attackers exploit vulnerabilities before patches can be applied. 

This development emerged just one week after the Shadowserver Foundation announced that it detected nearly 7000 exposed and unpatched instances of NetScaler ADC and Gateway.

What’s hot on Infosecurity Magazine?