Cybersecurity Threat Advisory: Citrix NetScaler servers actively being exploited
This Cybersecurity Threat Advisory highlights the nearly 2,000 Citrix NetScaler servers have been compromised through a sophisticated hacking campaign. The attackers exploited a critical vulnerability, CVE-2023-3519, to implant web shells on the targeted servers. This poses a severe threat as the compromised servers could allow unauthorized access, data theft, and further network infiltration. Barracuda MSP recommends Citrix NetScaler users to take immediate action to mitigate the risk.
What is the threat?
The CVE-2023-3519 vulnerability impacts Citrix NetScaler servers, allowing attackers to deploy malicious web shells, enable unauthorized access and gain control over the compromised servers. Citrix NetScaler is used for application delivery and load balancing, making it an attractive target for attackers aiming to compromise critical infrastructure. Exploiting this vulnerability requires the attacker to identify vulnerable instances and deploy a web shell payload, which could lead to complete control over the compromised systems.
Why is it noteworthy?
Although a security update was issued on July 18, hackers have been exploiting it in the wild as a zero-day to execute code without authentication. This vulnerability underscores the evolving tactics of threat actors, using web shell deployment as a new attack vector. A successful compromise of these servers could lead to data breaches, unauthorized access, and potential disruption of critical services.
Using the details about the backdoors, Fox-IT and DIVD were able to scan the internet for devices that had the web shells installed. This revealed 1,952 NetScaler servers backdoored with the same web shells Fox-IT found during the incident response engagements, indicating that the adversary used an automated method to exploit the vulnerability at a large scale. Despite the vulnerability being patched, systems are still getting compromised. On August 15th, the largest number of compromised Citrix NetScaler servers, both patched and unpatched, was in Germany, followed by France and Switzerland. Fox-IT says that the number of affected Citrix NetScaler servers is declining but there are still plenty of compromised instances.
What is the exposure or risk?
If this vulnerability is exploited, attackers could gain unauthorized access to compromised servers, potentially exposing sensitive data and confidential information. Additionally, the presence of web shells enables attackers with persistent access, allowing them to execute arbitrary commands and pivot within the network. This can lead to lateral movement, exfiltration of sensitive data, and potential disruption of critical services. Organizations using Citrix NetScaler servers, especially those with internet-facing applications, are particularly at risk of being compromised.
What are the recommendations?
Barracuda MSP recommends the following actions to protect your environment against this vulnerability:
- Immediately apply the latest security patches provided by Citrix to address the CVE-2023-3519 vulnerability and prevent exploitation.
- Conduct thorough security audits to identify any signs of compromise, including the presence of suspicious files or web shells.
- Researchers warn that a patched NetScaler server can still have a backdoor and recommend administrators perform basic triage on their systems.
- Mandiant has released a scanner that looks for indicators of compromise related to attacks exploiting CVE-2023-3519
- Implement network segmentation to contain the impact of potential breaches and limit lateral movement within the network.
- Deploy WAF solutions to detect and block malicious web traffic, reducing the risk of web shell deployment.
- Continuously monitor server logs and network traffic for signs of unauthorized access or malicious activity.
- Educate employees about phishing and social engineering techniques that attackers might use to exploit vulnerabilities.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.