In a series of ongoing attacks, over 640 Citrix Netscaler ADC and Gateway servers have been compromised. The attacks have exploited a severe remote code execution (RCE) vulnerability, known as CVE-2023-3519. This vulnerability was used as a zero-day exploit to infiltrate a critical infrastructure organization's network in the United States. The Shadowserver Foundation, a non-profit organization committed to enhancing internet security, has disclosed that web shells have been deployed on at least 640 Citrix servers during these attacks.
The Shadowserver Foundation's CEO, Piotr Kijewski, has stated that the deployed web shells are similar to the standard China Chopper, although further details have not been disclosed. Kijewski also noted that the number of detected web shells is lower than the actual number believed to be out there.
The Shadowserver Foundation has warned of widespread exploitation since July 20th. If patches were not applied by then, the Foundation advises to assume compromise. They also believe that the actual number of web shells related to CVE-2023-3519 is much higher than the 640 reported.
Two weeks prior, approximately 15,000 Citrix appliances were vulnerable to CVE-2023-3519 attacks. However, this figure has since decreased to under 10,000, indicating some progress in mitigating the vulnerability.
On July 18th, Citrix released security updates to address the RCE vulnerability, acknowledging that exploits had been observed on vulnerable appliances. The company urged its customers to install the patches without delay. The vulnerability mainly affects unpatched Netscaler appliances configured as gateways or authentication virtual servers.
In addition to addressing CVE-2023-3519, Citrix also patched two other high-severity vulnerabilities on the same day, CVE-2023-3466 and CVE-2023-3467. These vulnerabilities could be exploited for reflected cross-site scripting (XSS) attacks and privilege escalation to root.
In response to the ongoing attacks, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies to secure Citrix servers on their networks by August 9th. CISA also highlighted that the vulnerability had already been exploited to breach the systems of a U.S. critical infrastructure organization.
CISA reported, 'In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.'