Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign

A threat actor has successfully compromised nearly 2,000 Citrix NetScaler servers in a large-scale campaign that exploits the critical CVE-2023-3519 remote code execution vulnerability. Alarmingly, over 1,200 of these servers were backdoored even after administrators had applied the patch for the vulnerability. This ongoing compromise persists because these servers have not been thoroughly inspected for indications of successful exploitation, according to the researchers.

RCE exploited to hack 6% of all vulnerable servers

Security researchers from Fox-IT, a cybersecurity company, in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD), have uncovered a significant campaign targeting Citrix NetScaler servers vulnerable to CVE-2023-3519. Despite the patch for this vulnerability being available since July 18, hackers exploited it as a zero-day, allowing them to execute code without authentication. On July 21, the Cybersecurity and Infrastructure Security Agency (CISA) warned of its use in breaching a critical infrastructure organization in the U.S. Earlier this month, The Shadowserver Foundation reported that hackers infected over 640 Citrix NetScaler servers, implanting web shells for remote access and persistence. Fox-IT responded to numerous incidents related to CVE-2023-3519 exploitation over the past two months, discovering compromised servers with multiple web shells. They used this information to scan the internet for devices with these web shells installed, ultimately identifying 1,952 NetScaler servers compromised with the same web shells found in previous incidents. This suggests that the attacker utilized automated methods to exploit the vulnerability at a significant scale.

In a broader context, the 1,952 compromised servers account for over 6% of the 31,127 Citrix NetScaler instances that were vulnerable to CVE-2023-3519 globally during the active campaign. As of August 14, Fox-IT reported that 1,828 of these servers remained compromised, while 1,247 had been patched after the attackers planted web shells.

Starting on August 10, Fox-IT and DIVD initiated contact with organizations, either directly or through national Computer Emergency Response Teams (CERTs), to inform them about compromised NetScaler instances within their networks. On the most recent analysis date, the largest number of compromised Citrix NetScaler servers, including both patched and unpatched systems, was in Germany, followed by France and Switzerland. Europe bears the brunt of this campaign, with only two of the top ten affected countries located outside the region.

Interestingly, while Canada, Russia, and the U.S. had thousands of vulnerable NetScaler servers on July 21, there were very few instances of compromising web shells found in these countries.

Fox-IT indicates that the number of affected Citrix NetScaler servers is decreasing, but a considerable number of compromised instances still exist. They emphasize that even patched NetScaler servers can harbor a backdoor and recommend administrators to conduct basic system triage. They have provided a Python script that utilizes the Dissect forensics and incident response toolkit. Additionally, Mandiant has released a scanner designed to detect indicators of compromise related to CVE-2023-3519 exploitation. However, the researchers caution against running the bash script twice, as it may produce false positives due to certain searches being logged in the NetScaler logs when the script is executed.