Hackers target Citrix NetScaler vulnerabilities to gain persistent access

A new report released today by Fox-IT, part of NCC Group PLC, has detailed how about 2,000 Citrix NetScalers have been exploited by a threat actor to gain persistent access.

Citrix NetScaler is an application delivery controller and load-balancing solution offered by Citrix Systems Inc. The devices optimize the delivery of applications over the internet and private networks by distributing traffic across multiple servers, ensuring that application performance is maintained and downtime is minimized.

The threat actor who is targeting Citrix NetScaler installations is doing so by exploiting a known set of vulnerabilities that were first disclosed on July 18. The publication of the vulnerabilities only came about after security companies had already started seeing exploitation in the wild.

In collaboration with the Dutch Institute of Vulnerability Disclosure, Fox-IT found that 31,127 NetScaler devices were vulnerable to one of the key vulnerabilities found in July, designated CVE-2023-3519. According to the U.S. National Institute of Standards and Technology, CVE-2023-3519 is a Citrix NetScaler ADC and NetScaler Gateway code injection vulnerability with a score of 9.8 out of 10 in terms of how serious it is.

As of Aug. 14, Fox-IT also found that 1,828 NetScalers remain “backdoored.” What is surprising, however, is that of the 1,828 NetScalers that had been compromised, 1,248 had actually been patched for CVE-2023-3519.

“A patched NetScaler can still contain a backdoor,” Fox-IT researchers wrote in their post. “It is recommended to perform an Indicator of Compromise check on your NetScalers, regardless of when the patch was applied.”

Although the numbers are relatively small, the key takeaway from the report is that even with the best intentions, including installing all updates and patching all vulnerabilities, devices can still be compromised.

Users of Citrix NetScalers that may have been compromised are advised to secure forensic data. Fox-IT strongly recommends making a forensic copy of both the disk and the memory of the appliance before any remediation or investigative actions are done. If the Citrix appliance is installed on a hypervisor, a snapshot can be made for a follow-up investigation.

If a web shell is found, Citrix NetScaler users are advised to investigate whether it has been used to perform activities via the NetScaler access logs. If there are indications that the web shell has been used to perform unauthorized activities, users should identify whether the adversary has successfully taken steps to move laterally from the NetScaler toward another system in their infrastructure.

Image: Citrix