News
Large-Scale Attack Compromises 2,000 Citrix NetScaler Instances
Nearly 2,000 Citrix NetScaler instances have fallen victim to a backdoor attack, leveraging a critical security vulnerability that was recently disclosed. The attack involved exploiting CVE-2023-3519, a code injection vulnerability that affects NetScaler ADC and Gateway servers, and allows for unauthenticated remote code execution. Although Citrix had previously patched the flaw, threat actors managed to place web shells on vulnerable NetScalers, granting them persistent access to execute arbitrary commands even after the servers were patched or rebooted.
The Shadowserver Foundation had previously identified approximately 7,000 vulnerable NetScaler ADC and Gateway instances that had not been patched. These instances were then targeted for the installation of PHP web shells to enable remote access. Subsequent analysis by NCC Group revealed that out of the 1,828 backdoored NetScaler servers, around 1,248 had already been patched against the vulnerability. This suggests that while most administrators had patched their servers, they failed to check for signs of successful exploitation.
In total, it has been discovered that 2,491 web shells were found across 1,952 distinct NetScaler appliances. The majority of these compromised instances are located in Europe, particularly in Germany, France, Switzerland, Japan, Italy, Spain, the Netherlands, Ireland, Sweden, and Austria. Interestingly, although Canada, Russia, and the U.S. had thousands of vulnerable NetScaler servers, no web shells were discovered on any of them.
This large-scale attack has affected approximately 6.3% of the 31,127 NetScaler instances that remained vulnerable to CVE-2023-3519 as of July 21, 2023. To aid organizations in detecting post-exploitation activity related to the vulnerability, Mandiant has released an open-source tool specifically designed to scan Citrix appliances.
For more informative content, don’t forget to follow us on Twitter and LinkedIn.
The post Large-Scale Attack Compromises 2,000 Citrix NetScaler Instances appeared first on satProviders.