Ongoing Attacks: Over 600+ Citrix Servers Compromised to Install Web Shells

A critical remote code execution (RCE) vulnerability identified as CVE-2023-3519 has been the subject of several attacks, which have already compromised and backdoored hundreds of Citrix Netscaler ADC and Gateway servers.

Attackers used web shells on at least 640 Citrix servers in these attacks, according to security experts from the Shadowserver Foundation, a nonprofit organization focused on advancing internet security.

Previously, the vulnerability was used as a zero-day attack on the network of a critical infrastructure organization in the United States.

“We can say it’s fairly standard China Chopper, but we do not want to disclose more under the circumstances.

I can say the amount we detect is much lower than the amount we believe to be out there, unfortunately,” Shadowserver CEO Piotr Kijewski said.

​”We report on compromised appliances with webshells in your network (640 for 2023-07-30).

We are aware of widespread exploitation happening July 20th already,” Shadowserver said on their public mailing list.

“If you did not patch by then please assume compromise. We believe the actual amount of CVE-2023-3519 related web shells to be much higher than 640.”

Around 15,000 Citrix appliances were CVE-2023-3519 attack-vulnerable as of around two weeks ago.

That number has now decreased to below 10,000, showing some improvement in the vulnerability’s mitigation. Most of the servers are located in the United States and Germany.

Specifics of the Ongoing Attack

Customers were alerted by Citrix last week that the NetScaler Application Delivery Controller (ADC) and Gateway CVE-2023-3519 (CVSS score: 9.8) vulnerability is being actively exploited in the wild.

The flaw is a code injection vulnerability that might lead to unauthenticated remote code execution.

The issue mostly affects unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server).

Threat actors used this vulnerability as a zero-day in June 2023 to install a  web shell on a critical infrastructure organization’s NetScaler ADC appliance.

The web shell allowed the actors to find the victim’s active directory (AD) as well as gather and exfiltrate AD data.

The attackers attempted to move laterally to a domain controller, but the appliance’s network-segmentation restrictions prevented them from doing so.

“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization’s NetScaler ADC appliance,” CISA said.

“The web shell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data.

The actors attempted to move laterally to a domain controller, but network-segmentation controls for the appliance blocked movement.”

Citrix issued security updates to address the RCE vulnerability on July 18th, confirming that exploits have been seen on susceptible appliances.

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” reads the report published by Citrix.

Citrix fixed CVE-2023-3519 together with CVE-2023-3466 and CVE-2023-3467, two high-severity flaws that might be used to escalate privileges to root and conduct reflected cross-site scripting (XSS) attacks.

CISA gave U.S. federal agencies until August 9 to safeguard Citrix servers on their networks in response to continuous attacks.

Similar Citrix Netscaler ADC and Gateway vulnerabilities have previously been used by ransomware gangs, such as REvil and DoppelPaymer, to breach corporate networks.

In light of this, the company strongly advises concerned customers to install the necessary updates as soon as feasible.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.