Over 640 Citrix Servers are Compromised & Implanted with Web Shells
Numerous Citrix Netscaler ADC and Gateway servers have been compromised and infected with backdoors through a string of attacks aimed at exploiting a significant remote code execution (RCE) vulnerability known as CVE-2023-3519. This vulnerability was previously utilized as a zero-day exploit to breach the network of a critical infrastructure organization in the United States.
The Shadowserver Foundation, a non-profit organization committed to improving internet security, has recently revealed that attackers have implanted web shells on a minimum of 640 Citrix servers during these attacks.
According to Shadowserver CEO Piotr Kijewski’s statement to BleepingComputer, the detected instances of the attack resemble the typical China Chopper pattern. However, due to the circumstances, they choose not to disclose further details. Piotr Kijewski also mentioned that the number of detected instances is significantly lower than what they believe exists, unfortunately.
On their public mailing list, Shadowserver stated that they have identified 640 compromised appliances with web shells in networks as of July 30, 2023. Additionally, they are aware of the widespread exploitation that took place on July 20th.
If you have not patched your system by now, it is advisable to consider it compromised. Shadowserver believes that the number of web shells related to CVE-2023-3519 is significantly greater than the reported 640 instances.
Approximately two weeks ago, there were around 15,000 vulnerable Citrix appliances susceptible to CVE-2023-3519 attacks. However, the number has decreased to less than 10,000, indicating some progress in addressing the vulnerability.
On July 18th, Citrix issued security updates to tackle the RCE vulnerability, acknowledging the presence of exploits on vulnerable appliances. They urgently advised customers to promptly install the patches.
The vulnerability mainly affects unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server).
On the same day, Citrix addressed not only CVE-2023-3519 but also two other high-severity vulnerabilities, namely CVE-2023-3466 and CVE-2023-3467. These vulnerabilities could potentially be exploited for reflected cross-site scripting (XSS) attacks and privilege escalation to root.
To counter the persistent attacks, CISA has directed U.S. federal agencies to ensure the security of Citrix servers on their networks by August 9th.
The warning also emphasized that the vulnerability had already been exploited to breach the systems of a critical infrastructure organization in the United States.
According to CISA, threat actors took advantage of the vulnerability as a zero-day exploit in June 2023 to deploy a web shell on a NetScaler ADC appliance belonging to a critical infrastructure organization. The web shell allowed the actors to conduct investigations within the victim’s active directory (AD) and acquire AD data, which was subsequently exfiltrated. However, the actors’ attempt to move laterally to a domain controller was thwarted by network-segmentation controls implemented on the appliance.
Previously, ransomware gangs such as REvil and DoppelPaymer have exploited comparable vulnerabilities in Citrix Netscaler ADC and Gateway to infiltrate corporate networks during past attacks.