Patch-resistant autonomous exploits of Citrix NetScaler hardware hit thousands in Europe

A phone showing the Citrix logo in black against a white background. It is held in the hand of an unseen person, with blurred blue stock graphs in the background.
(Image credit: Getty Images)

Researchers have found an expansive and active threat campaign that exploited a severe Citrix NetScaler vulnerability to backdoor thousands of devices, including those that were subsequently patched.

Attackers automated the exploitation of the remote code execution vulnerability, tracked as CVE-2023-3519, to place web shells on vulnerable devices. These were found to persist through patches and reboots.

Approximately 69% of the backdoored NetScalers were no longer vulnerable to CVE-2023-3519 at the time of their discovery, prompting researchers to warn administrators who have already dealt with the Citrix patch not to be lulled into a false sense of security.

The campaign was brought to light by NCC Group and its subsidiary Fox-IT, in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD).

Both organizations had been looking into Citrix’s NetScaler Gateway vulnerabilities to establish evidence of exploitation in the wild, which led them to uncover dormant web shells. 

In response, the two collaborated on a scan of internet-exposed NetScalers. 

Researchers had initially limited their focus to devices that had not been patched at the time of Citrix’s initial disclosure, but upon widening the scan to include patched devices were shocked to discover more than 2,000 IP addresses that had been backdoored with the web shell.

The campaign is believed to have been launched between 20 and 21 July, at which time approximately 31,127 NetScalers were still vulnerable to CVE-2023-3519.

NCC Group stated that as of 14 August, 1,828 NetScalers still contained backdoors out of a total 1,952 devices that the teams identified as compromised.

RELATED RESOURCE

Whitepaper: Anticipate, prevent, and minimize the impact of business disruptions, with image of two male colleagues in coats looking at a mobile phone

(Image credit: ServiceNow)

Help your organization ensure operational resilience by identifying nine best practices for building and maintaining it across the enterprise.

DOWNLOAD FOR FREE

The DIVD reached out to affected organizations starting on 10 August. Devices in Germany, France, and Switzerland ranked the highest for compromise out of the affected countries, with the vast majority of NetScalers that were backdoored being located in Europe.

Citrix issued a bulletin in July in which it disclosed three vulnerabilities affecting NetScaler Gateway and ADC products. The firm urged customers with affected devices to install the latest updates.

CVE-2023-3519 was the worst of the three, carrying a near-maximum CVSSv3 score of 9.8 and allowing hackers to perform remote code execution.

NCC Group advised admins to perform a vigorous scan of the known indicators of compromise (IOCs) on their NetScaler devices even if they had applied the July patch. 

Fox-IT has made a Python script for performing triage on NetScalers publicly available via its GitHub repository, and Mandiant has similarly published a bash script that checks for IOCs.

Researchers advised IT teams to treat any evidence of the web shell having been used with the utmost seriousness and recommended that in this circumstance a wider investigation should be undertaken to rule out lateral attacks throughout an organization’s IT environment. 

ITPro has approached Citrix for more information.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.

TOPICS