Several threat actors are capitalizing on a critical vulnerability in Citrix networking products, even after Citrix rolled out a patch for its NetScaler ADC and NetScaler Gateway three weeks ago. Researchers have found that nearly 7,000 instances are still exposed online, with about 460 of these having web shells installed, indicating a likely compromise. The vulnerability in question is CVE-2023-3519, a critical 9.8 CVSS-scored zero-day vulnerability, which allows unauthenticated remote code execution (RCE) in Citrix's NetScaler ADC and gateway products.
Since the patch was issued, various researchers have shown how this vulnerability can be exploited. Attackers have been quick to exploit this flaw, installing hundreds of web shells within corporate networks and executing numerous exploits. Shadowserver Foundation data reveals that thousands of exposed NetScaler instances remain unpatched, leaving many organizations vulnerable to attackers who are installing web shells and executing commands on internal networks.
Piotr Kijewski, the CEO at Shadowserver, commented, "It's a complex case, given that Citrix is used in a lot of prominent organizations... We saw quite a few big names that were still vulnerable even a few days ago, including hospitals — these kinds of important institutions. So the potential consequences could be big, if somebody attacks these organizations with ransomware a month from now."
At its peak, Shadowserver tracked nearly 18,000 exposed, unpatched instances of NetScaler ADC and Gateway IPs. This number has been decreasing steadily, but not rapidly, with nearly 7,000 still remaining today, mainly located in North America (2,794) and Europe (2,670). Over the past few weeks, researchers have documented cases of hackers actively compromising these exposed network devices.
Shortly after the initial disclosure, Shadowserver discovered nearly 700 Web shells installed on NetScaler IPs, presumed to be associated with instances of CVE-2023-3159 compromises. This number has since decreased, but only by 33%. While initial compromises were mostly in the EU region, the majority of IPs still exposed as of Monday are in the United States.
Shadowserver honeypots recorded an increase in the number of active exploitation attempts, with a dozen cases on Sunday alone. Kijewski anticipates more compromises in the future, both for this CVE and others like it. He refers to this spring's MOVEit file transfer vulnerability as a model. He stated, "Threat actors — whether state-sponsored or criminal groups — are dedicating time, money, resources, and skills to this... Now even the criminal groups seem to be interested in really targeted vulnerabilities, and reversing them themselves, specifically against code that is usually run in large organizations."
Shadowserver advises that Citrix customers engage their incident response teams and, if compromised, set up either a new system from scratch, or reboot from a safe backup or snapshot. They warn that today's Web shells could be the source of future cyberattacks. "We expect these webshells to be utilized when the timing suits the attacker... Make sure you fix your Citrix device before the attacker does it for you," Shadowserver wrote in its latest update.