Roughly 2,000 Citrix NetScaler servers were compromised in what appears to be a large-scale attack against the endpoints. This is according to a new report from cybersecurity researchers Fox-IT, part of NCC Group.
In its report, Fox-IT says the unnamed threat actor leveraged a high-severity vulnerability first discovered in mid-July to breach the servers. The vulnerability is being tracked as CVE-2023-3519, and holds a severity score of 9.8.
It allows threat actors to run code remotely on Citrix NetScaler ADC and NetScaler Gateway. Even though it was disclosed a month ago, hackers managed to use it as a zero-day.
Indicators of compromise
On the day the report was published (August 14), Fox-IT said 1,828 NetScaler servers were compromised, despite the fact that 1,248 were previously patched against the flaw.
“A patched NetScaler can still contain a backdoor,” the researchers explained. “It is recommended to perform an Indicator of Compromise check on your NetScalers, regardless of when the patch was applied.”
Citrix NetScaler is a web application delivery controller (ADC) that speeds up apps, reduces web app ownership costs, and ensures higher app availability. According to WhiteHat Virtual Technologies, as of 2021 there were over 200,000,000 sites using Citrix NetScalers, including tech giants such as Microsoft, eBay, Weather.com, CNET, and MasterCard.
Given the fact that even patched servers were still compromised, users are advised to secure forensic data, a SiliconANGLE report states. Fox-IT’s researchers recommend users make a forensic copy of both the disk and the memory of the appliance, before deciding on any course of action. In case of a Citrix appliance being installed on a hypervisor, users can make a snapshot, as well.
Those that find a web shell in their premises should analyze if it was used, and to what end.