Researchers have found an expansive and active threat campaign that exploited a severe Citrix NetScaler vulnerability to backdoor thousands of devices, including those that were subsequently patched.
Attackers automated the exploitation of the remote code execution vulnerability, tracked as CVE-2023-3519, to place web shells on vulnerable devices. These were found to persist through patches and reboots.
Approximately 69% of the backdoored NetScalers were no longer vulnerable to CVE-2023-3519 at the time of their discovery, prompting researchers to warn administrators who have already dealt with the Citrix patch not to be lulled into a false sense of security.
The campaign was brought to light by NCC Group and its subsidiary Fox-IT, in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD).
Both organizations had been looking into Citrix’s NetScaler Gateway vulnerabilities to establish evidence of exploitation in the wild, which led them to uncover dormant web shells.
In response, the two collaborated on a scan of internet-exposed NetScalers.
Researchers had initially limited their focus to devices that had not been patched at the time of Citrix’s initial disclosure, but upon widening the scan to include patched devices were shocked to discover more than 2,000 IP addresses that had been backdoored with the web shell.
The campaign is believed to have been launched between 20 and 21 July, at which time approximately 31,127 NetScalers were still vulnerable to CVE-2023-3519.
NCC Group stated that as of 14 August, 1,828 NetScalers still contained backdoors out of a total 1,952 devices that the teams identified as compromised.
Help your organization ensure operational resilience by identifying nine best practices for building and maintaining it across the enterprise.
The DIVD reached out to affected organizations starting on 10 August. Devices in Germany, France, and Switzerland ranked the highest for compromise out of the affected countries, with the vast majority of NetScalers that were backdoored being located in Europe.
Citrix issued a bulletin in July in which it disclosed three vulnerabilities affecting NetScaler Gateway and ADC products. The firm urged customers with affected devices to install the latest updates.
CVE-2023-3519 was the worst of the three, carrying a near-maximum CVSSv3 score of 9.8 and allowing hackers to perform remote code execution.
NCC Group advised admins to perform a vigorous scan of the known indicators of compromise (IOCs) on their NetScaler devices even if they had applied the July patch.
Fox-IT has made a Python script for performing triage on NetScalers publicly available via its GitHub repository, and Mandiant has similarly published a bash script that checks for IOCs.
Researchers advised IT teams to treat any evidence of the web shell having been used with the utmost seriousness and recommended that in this circumstance a wider investigation should be undertaken to rule out lateral attacks throughout an organization’s IT environment.
ITPro has approached Citrix for more information.
