Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
A substantial cybersecurity incident has come to light involving the exploitation of nearly 2,000 Citrix NetScaler servers through the critical-severity remote code execution vulnerability known as CVE-2023-3519. The fact that more than 1,200 servers were already backdoored before administrators had the opportunity to install the patch to address the vulnerability. Even more concerning is the ongoing exploitation of these compromised systems because they have not been checked for signs of successful exploitation.
The vulnerability, which received a patch on July 18, had been exploited by hackers as a zero-day, allowing them to execute code without authentication. The United States Cybersecurity and Infrastructure Security Agency (CISA) also reported instances where this vulnerability was exploited to breach critical infrastructure organizations in the U.S.
Investigations revealed that this campaign involved planting webshells on Citrix NetScaler servers vulnerable to CVE-2023-3519. Despite the patch being available, the adversaries were able to compromise a substantial number of servers. Scans were conducted using details from the discovered webshells, enabling the researchers to identify affected devices. The scan scope began with just vulnerable systems but was later expanded to Citrix instances that had received the update to address CVE-2023-3519. This scan revealed a staggering 1,952 NetScaler servers compromised by the same web shells discovered earlier, indicating an automated and large-scale approach by the attackers.
The compromised servers constituted more than 6% of the total vulnerable Citrix NetScaler instances worldwide at the height of the campaign. Among these compromised servers, 1,828 remained backdoored on August 14, and 1,247 had been patched after the initial breach. The situation varied across different countries, with Germany having the highest number of compromised servers, followed by France and Switzerland.
While the number of compromised servers is reportedly declining, the threat still persists. Researchers emphasized that patched NetScaler servers could still have backdoors, urging administrators to conduct basic triage on their systems. To assist in detection and response, tools were provided by researchers to identify indicators of compromise associated with attacks exploiting CVE-2023-3519. However, caution is advised when utilizing these tools, as certain repeated script runs could generate false positives in NetScaler logs.