Recent reports indicate that numerous Citrix NetScaler ADC and Gateway servers have suffered breaches orchestrated by cybercriminals deploying web shells. This information comes from the Shadowserver Foundation, which highlights a worrying trend in cybersecurity threats.
The attacks exploit CVE-2023-3519, a severe code injection vulnerability that can facilitate unauthenticated remote code execution. This critical flaw, assigned a CVSS score of 9.8, was patched by Citrix in the previous month, underscoring the urgency for organizations to apply updates promptly.
The most affected IP addresses are reportedly concentrated in Germany, followed closely by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. This pattern raises significant concerns about the potential ramifications for enterprises operating in these countries.
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously warned about the exploitation of CVE-2023-3519 directed at a critical infrastructure organization in June 2023, further illustrating the urgency of addressing this vulnerability.
Moreover, cybersecurity firm GreyNoise has reported attempting to identify further threats, having detected three IP addresses attempting to exploit CVE-2023-24489—another critical vulnerability associated with Citrix ShareFile software. This flaw allows for unauthenticated arbitrary file uploads and remote code execution, carrying a CVSS score of 9.1. It has since been addressed in ShareFile storage zones controller version 5.11.24 and later.
The security challenges facing Citrix products highlight the persistent threat actors often employ tactics outlined in the MITRE ATT&CK framework. Techniques like initial access and persistence are apparent as attackers exploit vulnerabilities to maintain their foothold in compromised systems. The situation serves as a critical reminder that timely patching and monitoring vulnerabilities can significantly mitigate risks.
Furthermore, Assetnote, the firm that uncovered the bug in ShareFile, noted that the issue stemmed from a simpler version of a padding oracle attack
. This vulnerability allowed adversaries to exploit processing behaviors related to invalid versus valid padding, further emphasizing the need for rigorous security protocols.
Update
In a recent update on August 7, 2023, the Shadowserver Foundation revealed nearly 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances are still operational. The exploitation of CVE-2023-3519 for deploying PHP web shells is ongoing, posing continued risks for organizations that have yet to secure their systems.
