2,000 Citrix NetScaler Instances Backdoored via Recent Vulnerability

A threat actor has automated the exploitation of a recent Citrix vulnerability and has infected roughly 2,000 NetScaler instances with a backdoor, British information assurance firm NCC Group reports.

Tracked as CVE-2023-3519, the critical vulnerability was disclosed last month as a zero-day, being exploited since June 2023, including in attacks against critical infrastructure organizations.

The issue allows unauthenticated, remote attackers to execute arbitrary code on vulnerable Citrix Application Delivery Controller (ADC) and Gateway appliances that are configured as a gateway or AAA virtual server.

Roughly a week after Citrix released patches for the bug, cybersecurity firm Bishop Fox warned that it had identified more than 20,000 Citrix appliances vulnerable to a new exploit.

Now, NCC Group says it has observed an automated exploitation campaign in which more than 1,950 NetScaler instances were compromised, representing roughly 6.3% of the 31,000 vulnerable appliances identified at the beginning of the exploitation campaign.

The company identified close to 2,500 webshells on the compromised instances, and says that more than 1,800 of them remain infected. Starting August 10, the Dutch Institute of Vulnerability Disclosure has been notifying the impacted organizations of NCC Group’s findings.

More worrying, the cybersecurity firm says, is that roughly 69% of the infections occurred before the impacted organizations applied the provided patch. However, the backdoor has not been removed.

“This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation,” NCC Group says.

The large number of NetScaler instances infected before being patched also shows that the mass exploitation campaign took place around the same time that Citrix released the fixes.

“The high percentage of patched NetScalers that have been backdoored is likely a result of the time at which mass exploitation took place. From incident response cases, we can confirm Shadowserver’s prior estimate that this specific exploitation campaign took place between late July 20th and early July 21^st,” NCC Group notes.

Mandiant on Monday released a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. Google-owned Mandiant says the tool, available on GitHub, contains indicators of compromise (IOCs) collected during Mandiant’s investigations and sourced elsewhere.

Most of the identified infections are in Europe, with Germany, France, and Switzerland impacted the most. Japan and Italy round up the top five. Canada, Russia, and the US have virtually no infected NetScaler instances.

*Updated with details of tool released by Mandiant

Related: Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins

Related: Citrix Patches Critical Vulnerability in Secure Access Client for Ubuntu

Related: Citrix Patches High-Severity Vulnerabilities in Windows, Linux Apps