View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 16, 2023

Backdoor into Citrix NetScaler systems leaves 2,000 servers vulnerable

Though a patch has been released, security researchers believe many systems were infected before it could be applied.

By Claudia Glover

Nearly 2,000 servers running Citrix NetScaler have been compromised by a backdoor that could allow the perpetrator to launch remote code execution attacks inside infected systems. The vulnerability being exploited was discovered last month, and security researchers say many of the infected systems have already been patched, meaning the attack likely took place days after the fix was released.

Nearly 2,000 Citrix NetScaler servers infected with backdoor during mass campaign (Photo by Tada Images/Shutterstock)

Security company Mandiant has released an open source tool to scan for indicators of compromise that can help system administrators to discern if their servers have been infected.

Citrix NetScaler is a tool which helps manage traffic on a network by balancing different workloads.

Up to 2,000 NetScalers infected with a malicious backdoor

Researchers from security company NCC say 6% of all vulnerable Citrix NetScaler systems have been infected with a web shell, or backdoor, which could allow hackers to gain access to the company’s systems. The web shell is installed via a vulnerability, tracked as CVE-2023-3519.

Although a patch has been released for the vulnerability, the attackers appear to have struck in the days immediately following its release, meaning many servers had yet to be patched.

The US government’s Cybersecurity and Infrastructure Security Agency (CISA) released an advisory at the time of the patch came out, calling on organisations to apply it as a matter of urgency. It said the vulnerability had been used to launch an attack on US critical national infrastructure.

Now approximately 69% of the infected servers are patched according to NCC Group’s research, but may be failing to scan their networks for signs of intrusion.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

“Administrators may have a false sense of security even though an up-to-date NetScaler can still have been backdoored,” a report from NCC Group warns.

Non-profit security organisation the Shadowserver Foundation believes the mass attack took place between July 20-July 21. The patch was released on July 18. 

Shadowserver posted research weeks after the patch release showing that more than 640 Citrix NetScaler servers had been infected by web shells, placed to enable remote access.

In total, the NCC Group uncovered 2491 web shells across 1952 distinct NetScalers. Globally there were 31,127 NetScalers vulnerable to CVE-2023-3519 when the campaign was launched, meaning the exploitation campaign compromised 6.3% of vulnerable systems. Most of the targeted systems are in Europe.

Mandiant has released an open source scanning tool to scan Citrix NetScaler servers for indicators of compromise. Researchers have cautioned against running the tool twice, as “certain searches get written into the NetScaler logs whenever the script is run,” which can result in false positives.  

Read More: New unpatched zero-day Microsoft Exchange vulnerability under ‘active exploitation’

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU