Hackers Backdoor 1,900 Citrix NetScaler Devices
Hackers have been conducting a mass exploitation campaign targeting Citrix NetScalers to exploit a critical vulnerability tracked as CVE-2023-3519. The automated exploitation campaign compromises NetScalers and installs web shells to provide a persistent backdoor into systems. The web shell allows the threat actor to execute arbitrary commands on compromised systems, even when the patch is applied to fix the vulnerability.
The vulnerability affects Citrix Application Delivery Controller and Gateway appliances configured as gateway servers and was disclosed by Citrix on July 18, 2023. A patch was released to fix the vulnerability and Citrix warned at the time that there had been limited exploitation of the vulnerability in the wild, although no details were released about the extent of the exploitation. Since then, several security firms have reported cases of exploitation of the flaw.
Researchers at the cybersecurity company Fox-IT, part of NCC Group, in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD), have been trying to identify the compromised systems and alert the affected companies. The researchers report that at the time of the exploitation campaign, 31,127 NetScalers were found to be vulnerable to the CVE-2023-3519 vulnerability and as of August 14, 2023, 1,900 NetScalers were discovered to have been compromised and backdoored. 1,248 of those NetScalers had been patched to fix the vulnerability, and even though patched, access was still possible through the web shell.
The researchers have warned NetScaler administrators to perform a check of Indicators of Compromise (IoCs), regardless of whether the vulnerability has been patched. The Fox-IT researchers have released a Python script that uses Dissect to perform triage on forensic images of NetScalers, and Mandiant has released a bash script that will check for IoCs on live systems.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
If a web shell is detected, the researchers recommend making a forensic copy of the disk and the memory of the appliance before any remediation or investigative actions are done, and to investigate whether the web shell has been used to perform any activities. Usage of the web shell should be visible in NetScaler access logs. If there are indications that the web shell has been used, a wider investigation is required to determine if the attackers have moved laterally from the appliance and have compromised other systems.