While many Citrix Netscaler servers have been patched for a vulnerability known since July, attackers still maintain access.
Security researchers from Fox-IT and the Dutch Institute of Vulnerability Disclosure (DIVD) jointly investigated a hacking campaign where malicious actors established webshells on Citrix Netscaler servers vulnerable to the CVE-2023-3519 security flaw. In total, nearly 2,000 systems were infiltrated, with the majority located in Germany, followed by France and Switzerland.
According to the researchers’ report, more than two-thirds of the hacked servers are now protected from further exploitation of the vulnerability due to a patch provided by Citrix on July 18th. However, since the respective administrators failed to inspect their Citrix Netscaler systems for potential prior infiltration after applying the security update, attackers can still execute malicious code there.
Particularly affected is Europe, where the malicious actors infiltrated a total of 1,952 Netscaler servers across various regions worldwide, suggesting they employed automated attack methods to exploit the vulnerability on a large scale. The researchers identified a total of 31,127 systems vulnerable to CVE-2023-3519 on July 21st. Consequently, the attackers managed to establish a backdoor on over 6 percent of these Citrix Netscaler servers.
European servers seem to be particularly impacted by the campaign. “Of the 10 most affected countries, only 2 are outside of Europe,” stated the researchers. While Canada, Russia, and the United States also had thousands of vulnerable Netscaler systems on July 21st, the research team was unable to find a webshell on virtually any of them. However, they did not identify an explanation for these regional differences or a specific targeting of industries by the attackers.
Administrators of Citrix Netscaler servers are strongly advised to promptly apply patches to their systems and subsequently investigate them for potential infiltration. For the latter, the researchers have provided a corresponding tool on GitHub.