Massive Hacking Campaign Targets Nearly 2,000 Citrix NetScaler Servers
August 15, 2023
An extensive hacking campaign has compromised nearly 2,000 Citrix NetScaler servers. The threat actor exploited a severe remote code execution vulnerability, CVE-2023-3519, to gain control. Over 1,200 servers were backdoored before the patch was applied, and they remain compromised due to a lack of post-exploitation checks.
The campaign was discovered by security researchers from Fox-IT, part of the NCC Group, and the Dutch Institute of Vulnerability Disclosure (DIVD). They found that webshells had been planted on Citrix Netscaler servers vulnerable to CVE-2023-3519. Despite the patch being released on July 18, hackers began exploiting it as a zero-day to execute code without authentication.
On July 21, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the vulnerability being used to breach a critical infrastructure organization in the U.S. The Shadowserver Foundation, a non-profit organization, found that over 640 Citrix NetScaler servers had been infected with web shells for remote access and persistence.
Fox-IT responded to multiple incidents related to CVE-2023-3519 exploitation and discovered servers compromised with various web shells. Using the details about the backdoors, Fox-IT and DIVD scanned the internet for devices with the web shells installed. Administrators can identify their scans by checking the Citrix HTTP Access logs for the user-agent: DIVD-2023-00033.
The scans initially only considered vulnerable systems but later expanded to Citrix instances that received the update to address CVE-2023-3519. This revealed 1,952 NetScaler servers backdoored with the same web shells found by Fox-IT, suggesting that the adversary used an automated method to exploit the vulnerability on a large scale.
In a broader context, the 1,952 backdoored servers represent more than 6% of the 31,127 Citrix NetScaler instances vulnerable to CVE-2023-3519 globally when the campaign was active. Of the compromised servers, Fox-IT reports that 1,828 remained backdoored on August 14 and that 1,247 had been patched after the hackers planted the web shells.
On August 10, Fox-IT and DIVD began reaching out to organizations, either directly or through national CERTs, about compromised NetScaler instances on their network. The largest number of compromised Citrix NetScaler servers, both patched and unpatched, was in Germany, followed by France and Switzerland. Fox-IT notes that Europe is the most affected, with only two of the top 10 affected countries from a different region of the world.
While Canada, Russia, and the U.S. had thousands of vulnerable NetScaler servers on July 21, compromising web shells were found on almost none of them. Fox-IT states that the number of affected Citrix NetScaler servers is declining, but there are still many compromised instances.
The researchers caution that a patched NetScaler server can still have a backdoor and recommend administrators perform basic triage on their systems. They provide a Python script that uses the Dissect forensics and incident response toolkit. Mandiant has also released a scanner that looks for indicators of compromise related to attacks exploiting CVE-2023-3519. However, they warn that running this bash script twice results in false positives because 'certain searches get written into the NetScaler logs whenever the script is run.'
Related News
- Mandiant Rolls Out Scanner to Detect Compromised Citrix Devices
- Critical Citrix Vulnerability Being Actively Exploited: Thousands of Instances Still at Risk
- Critical Citrix ADC Vulnerability: PoC Released for 0-day Flaw - CVE-2023-3519
- Ongoing Attacks Breach Over 640 Citrix Servers Exploiting Critical RCE Vulnerability
Latest News
- Mandiant Rolls Out Scanner to Detect Compromised Citrix Devices
- Critical Security Flaw in PostgreSQL Database System: CVE-2023-39417
- Colorado Alerts 4 Million Citizens of Data Breach Following IBM MOVEit Exploit
- Critical Remote Code Execution Vulnerability in Ghostscript: PoC Released
- Critical Vulnerabilities in Iagona's ScrutisWeb ATM Software Could Enable Remote Attacks
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.