Around 2,000 Citrix NetScaler instances have fallen victim to a backdoor attack, leveraging a recently disclosed critical security vulnerability as part of a widespread assault.
According to an advisory from NCC Group, released on Tuesday, it appears that an attacker exploited CVE-2023-3519 in an automated manner, implanting web shells on vulnerable NetScalers to establish persistent access. This webshell grants the attacker the ability to execute arbitrary commands, even on patched and rebooted NetScaler systems.
CVE-2023-3519 is a critical code injection vulnerability that affects NetScaler ADC and Gateway servers, potentially enabling unauthenticated remote code execution. Citrix had issued a patch for it last month.
This development follows a report by the Shadowserver Foundation, which identified nearly 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances online, with attackers exploiting the flaw to deploy PHP web shells on vulnerable servers for remote access.
A subsequent analysis by NCC Group revealed that 1,828 NetScaler servers still harbor the backdoor, despite approximately 1,248 of them having been patched against the vulnerability. This suggests that while most administrators applied the patch to secure their NetScalers, they did not thoroughly check for signs of successful exploitation.
In total, 2,491 web shells have been discovered across 1,952 distinct NetScaler appliances, with a significant number of compromised instances located in Germany, France, Switzerland, Japan, Italy, Spain, the Netherlands, Ireland, Sweden, and Austria.
Interestingly, despite having thousands of vulnerable NetScaler servers last month, no web shells were found on any systems in Canada, Russia, or the United States.
This large-scale exploitation campaign is estimated to have affected 6.3% of the 31,127 NetScaler instances susceptible to CVE-2023-3519 as of July 21, 2023.
Additionally, Mandiant has released an open-source tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519.