Recent reports indicate that almost 2,000 Citrix NetScaler instances have been compromised through the exploitation of a newly disclosed critical security vulnerability. This backdoor attack forms part of an extensive exploitation campaign targeting these widely used servers.
The NCC Group has identified that adversaries leveraged CVE-2023-3519 to automate the deployment of web shells on vulnerable NetScalers, affording them continuous access. They noted that even if a NetScaler is patched or restarted, the adversaries retain the ability to execute arbitrary commands via these web shells. This vulnerability pertains to a critical code injection issue affecting NetScaler ADC and Gateway servers, potentially enabling unauthenticated remote code execution. Citrix issued a patch addressing this vulnerability last month.
This alarming development follows a report from the Shadowserver Foundation, which disclosed the existence of nearly 7,000 vulnerable NetScaler ADC and Gateway instances still online. The identified flaw has been exploited to deploy PHP web shells, granting attackers remote access to vulnerable servers. A subsequent analysis by NCC Group confirmed that out of the remaining 1,828 backdoored NetScaler servers, roughly 1,248 had already been patched.
While many administrators promptly acted to patch their systems, the NCC Group reported that several of them failed to check for signs of successful exploitation. It appears that across 1,952 unique NetScaler appliances, approximately 2,491 web shells have been detected. The majority of these compromised systems are located in countries including Germany, France, Switzerland, Japan, Italy, Spain, the Netherlands, Ireland, Sweden, and Austria.
Interestingly, despite the prevalence of vulnerable servers in the U.S., Canada, and Russia, no web shells were discovered in their respective NetScaler installations. The extensive exploitation campaign has reportedly affected about 6.3% of the 31,127 NetScaler instances identified as susceptible to CVE-2023-3519 as of July 21, 2023.
In light of these events, Mandiant has released an open-source tool designed to assist organizations in scanning their Citrix appliances for signs of post-exploitation activity related to this critical vulnerability.
In analyzing the tactics employed in this attack, it is evident that adversaries utilized a combination of initial access via exploitation of the vulnerability, followed by the persistence tactic through the deployment of web shells. This framework aligns with relevant MITRE ATT&CK techniques, providing a clearer understanding of how attackers operated during this campaign.
As organizations navigate the evolving threats in the cybersecurity landscape, vigilance in both patch management and verification of potential exploitation is essential in safeguarding systems against similar attacks. Furthermore, the importance of proactive monitoring and timely incident response cannot be overstated, as the fallout from such vulnerabilities can be substantial. Among the countries affected, businesses must ensure they are equipped to confront these persistent threats with the appropriate defenses and strategies in place.
