Over 1,800 Citrix NetScaler devices have been found to have backdoors, with 69% of them already patched for the CVE-2023-3519 vulnerability [4]. However, further investigation is needed to determine if these devices have been successfully exploited.
Description
The CVE-2023-3519 vulnerability was initially exploited as a zero-day in targeted attacks against a critical infrastructure organization in the US [4]. It was later used in automated attacks on a larger scale. Researchers have conducted internet scans and discovered web shells on 1,828 instances, with 1,248 of them already patched [2] [4]. The attackers were able to compromise 1,952 vulnerable NetScaler devices, primarily in Europe [1]. The reasons for these discrepancies and the specific targeting of devices are still unknown [4]. It is crucial for users to secure forensic data and thoroughly investigate any unauthorized activities carried out through web shells. This incident highlights the challenge of securing edge devices like NetScalers [1], as even patched and rebooted systems can still be compromised. The majority of compromised instances were found in European countries [3], with Germany being the most affected [2]. Notably, vulnerable servers in Canada [3], Russia [3], and the U.S. [3] [4] did not have any web shells discovered. The Dutch Institute of Vulnerability Disclosure has notified affected organizations and provided recommendations for assessing system security. Mandiant has released an open-source tool to help organizations detect post-exploitation activity related to CVE-2023-3519.
Conclusion
The presence of backdoors in over 1,800 Citrix NetScaler devices poses a significant security risk. While a majority of these devices have been patched, it is essential to thoroughly investigate if they have been successfully exploited. The compromised instances primarily located in Europe highlight the need for improved security measures for edge devices like NetScalers. The release of an open-source tool by Mandiant aims to assist organizations in detecting compromised systems and preventing further exploitation. This incident serves as a reminder of the ongoing challenges in securing network devices and the importance of proactive security measures.
References
[1] https://www.infosecurity-magazine.com/news/mass-exploitation-campaign-citrix/
[2] https://www.malwarebytes.com/blog/news/2023/08/citrix-netscalers-backdoored-in-widespread-exploitation-campaign
[3] https://thehackernews.com/2023/08/nearly-2000-citrix-netscaler-instances.html
[4] https://www.helpnetsecurity.com/2023/08/16/netscaler-cve-2023-3519-webshells/
