The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hackers Backdoor 1,900 Citrix NetScaler Devices

Posted By on Aug 17, 2023

Hackers have been conducting a mass exploitation campaign targeting Citrix NetScalers to exploit a critical vulnerability tracked as CVE-2023-3519. The automated exploitation campaign compromises NetScalers and installs web shells to provide a persistent backdoor into systems. The web shell allows the threat actor to execute arbitrary commands on compromised systems, even when the patch is applied to fix the vulnerability.

The vulnerability affects Citrix Application Delivery Controller and Gateway appliances configured as gateway servers and was disclosed by Citrix on July 18, 2023. A patch was released to fix the vulnerability and Citrix warned at the time that there had been limited exploitation of the vulnerability in the wild, although no details were released about the extent of the exploitation. Since then, several security firms have reported cases of exploitation of the flaw.

Researchers at the cybersecurity company Fox-IT, part of NCC Group, in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD), have been trying to identify the compromised systems and alert the affected companies. The researchers report that at the time of the exploitation campaign, 31,127 NetScalers were found to be vulnerable to the CVE-2023-3519 vulnerability and as of August 14, 2023, 1,900 NetScalers were discovered to have been compromised and backdoored. 1,248 of those NetScalers had been patched to fix the vulnerability, and even though patched, access was still possible through the web shell.

The researchers have warned NetScaler administrators to perform a check of Indicators of Compromise (IoCs), regardless of whether the vulnerability has been patched. The Fox-IT researchers have released a Python script that uses Dissect to perform triage on forensic images of NetScalers, and Mandiant has released a bash script that will check for IoCs on live systems.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

If a web shell is detected, the researchers recommend making a forensic copy of the disk and the memory of the appliance before any remediation or investigative actions are done, and to investigate whether the web shell has been used to perform any activities. Usage of the web shell should be visible in NetScaler access logs. If there are indications that the web shell has been used, a wider investigation is required to determine if the attackers have moved laterally from the appliance and have compromised other systems.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist