Mass Exploitation Campaign Backdoors Almost 2000 Citrix NetScalers 

A hacking group has exploited a critical vulnerability in Citrix NetScaler servers to compromise close to 2,000 servers in a massive campaign, before patches could be applied.

As of 8/14 Fox-IT researchers report that of some 31,127 vulnerable servers, more than 1,900 remain “backdoored” and of those found, 1,248 had already been patched, but were never checked for signs of successful exploitation.

The vulnerability, tracked as CVE-2023-3519, allows hackers to execute arbitrary code on the servers without authentication allowing them to do anything they want on the servers, including steal data, install malware, or disrupt operations.

Main Takeaways:

  • A set of vulnerabilities in NetScaler, one of which allows for remote code execution, were disclosed on July 18th. This disclosure was published after several security organizations saw limited exploitation of these vulnerabilities in the wild.
  • Fox-IT (in collaboration with the Dutch Institute of Vulnerability Disclosure) have scanned for these webshells to identify compromised systems. Responsible disclosure notifications have been sent by the DIVD.
  • At the time of this exploitation campaign, 31127 NetScalers were vulnerable to CVE-2023-3519.
  • As of August 14th, 1828 NetScalers remain backdoored.
  • Of the backdoored NetScalers, 1248 are patched for CVE-2023-3519.

David Mitchell, Chief Technical Officer, HYAS had this to say:  

“Unfortunately, this is far from the first time this has happened in recent memory. In previous campaigns, attackers gained footholds within F5, Fortinet and VMware appliances through exposed management interfaces in order to avoid detection by EDR software.  

“Regardless if the exploit is already in the wild, customers are expected to monitor their devices for the IOCs before and after the patch is applied — which is obviously not at an acceptable level. The reason for this gap may be education, outsourced managed devices or division of security labor within an organization, but I do not expect attacks on network devices to stop anytime soon.”

Clearly simply patching everything isn’t enough. You also have to make sure that the bad guys aren’t already in. Which means that you need to take more rigorous steps to make sure that you’re not on the wrong end of a headline.

Leave a Reply

%d bloggers like this: