Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign

Cyber Security Threat Summary:
As part of a joint effort with Dutch Institute of Vulnerability Disclosure (DIVD), researchers at cybersecurity company Fox-IT (NCC Group) have uncovered a large-scale campaign that planted webshells on Citrix Netscaler servers vulnerable to CVE-2023-3519, a critical remote code execution flaw that was patched on July 18. By scanning the internet, they uncovered 2491 webshells across 1952 distinct NetScaler servers, which made up 6% of all Netscalers (31,127) vulnerable to CVE-2023-3519, on a global scale, as of July 21, 2023. Based on a further analysis conducted on August 14, 2023, Fox-IT revealed that 1,828 Netscalers remained backdoored and that 1,247 had been patched after the hackers planted the web shells.

“Yesterday, the largest number of compromised Citrix NetScaler servers, both patched and unpatched, was in Germany, followed by France and Switzerland. Fox-IT says that Europe is the most affected, highlighting that of the top 10 affected countries, only two are from a different region of the world. Another detail the researchers observed is that while Canada, Russia, and the U.S. had thousands of vulnerable NetScaler servers on July 21, they found compromising web shells on almost none of them.”

Security Officer Comments:
According to researchers, the threat actors exploited the vulnerability in an automated fashion as the same webshells were deployed in several compromised instances, to gain persistent access. What’s notable is that these webshells can be used to execute arbitrary commands, even when NetScaler is patched and/or rebooted. Although Fox-IT stated that the number of affected Citrix servers is declining, there are still plenty of compromised instances with the backdoor intact.

Suggested Correction(s):
A patched NetScaler can still contain a backdoor. It is recommended to perform an Indicator of Compromise check on your NetScalers, regardless of when the patch was applied.

Fox-IT has provided a Python script that utilizes Dissect to perform triage on forensic images of NetScalers. Mandiant has provided a bash-script to check for Indicators of Compromise on live systems. Be aware that if this script is run twice, it will yield false positive results as certain searches get written into the NetScaler logs whenever the script is run.