Rewterz Threat Update – A Malicious Campaign Compromised Around 2,000 Citrix NetScaler Servers

Severity

High

Analysis Summary

A substantial cybersecurity incident has come to light involving the exploitation of nearly 2,000 Citrix NetScaler servers through the critical-severity remote code execution vulnerability known as CVE-2023-3519. The fact that more than 1,200 servers were already backdoored before administrators had the opportunity to install the patch to address the vulnerability. Even more concerning is the ongoing exploitation of these compromised systems because they have not been checked for signs of successful exploitation.

The vulnerability, which received a patch on July 18, had been exploited by hackers as a zero-day, allowing them to execute code without authentication. The United States Cybersecurity and Infrastructure Security Agency (CISA) also reported instances where this vulnerability was exploited to breach critical infrastructure organizations in the U.S.

Investigations revealed that this campaign involved planting webshells on Citrix NetScaler servers vulnerable to CVE-2023-3519. Despite the patch being available, the adversaries were able to compromise a substantial number of servers. Scans were conducted using details from the discovered webshells, enabling the researchers to identify affected devices. The scan scope began with just vulnerable systems but was later expanded to Citrix instances that had received the update to address CVE-2023-3519. This scan revealed a staggering 1,952 NetScaler servers compromised by the same web shells discovered earlier, indicating an automated and large-scale approach by the attackers.

The compromised servers constituted more than 6% of the total vulnerable Citrix NetScaler instances worldwide at the height of the campaign. Among these compromised servers, 1,828 remained backdoored on August 14, and 1,247 had been patched after the initial breach. The situation varied across different countries, with Germany having the highest number of compromised servers, followed by France and Switzerland.

While the number of compromised servers is reportedly declining, the threat still persists. Researchers emphasized that patched NetScaler servers could still have backdoors, urging administrators to conduct basic triage on their systems. To assist in detection and response, tools were provided by researchers to identify indicators of compromise associated with attacks exploiting CVE-2023-3519. However, caution is advised when utilizing these tools, as certain repeated script runs could generate false positives in NetScaler logs.

Impact

• Code Execution
• Exposure of Sensitive Data

Affected Vendor

• Citrix

Affected Product

• Citrix NetScaler Gateway 12.1
• Citrix ADC 12.1
• Citrix ADC 12.1-FIPS
• Citrix ADC 12.1-NDcPP

Indicators of Compromise

CVE

• CVE-2023-3519

Remediation

• Refer to Citrix Security Advisory for patch, upgrade or suggested workaround information.
• Activate an incident response plan for effective containment, eradication, and recovery procedures.
• Conduct a thorough assessment to identify and remove any planted web shells or backdoors.
• Continuously monitor network traffic and logs for signs of ongoing compromise.
• Educate users on phishing and safe practices to prevent initial infection vectors.
• Regularly back up critical data and configurations to enable swift recovery.
• Implement network segmentation to isolate critical systems from potential threats.
• Collaborate with vendors and experts for the latest threat intelligence and patches.
• Ensure compliance with data protection regulations, especially if sensitive data was compromised.