Nearly 2,000 servers running Citrix NetScaler have been compromised by a backdoor that could allow the perpetrator to launch remote code execution attacks inside infected systems. The vulnerability being exploited was discovered last month, and security researchers say many of the infected systems have already been patched, meaning the attack likely took place days after the fix was released.
Security company Mandiant has released an open source tool to scan for indicators of compromise that can help system administrators to discern if their servers have been infected.
Citrix NetScaler is a tool which helps manage traffic on a network by balancing different workloads.
Up to 2,000 NetScalers infected with a malicious backdoor
Researchers from security company NCC say 6% of all vulnerable Citrix NetScaler systems have been infected with a web shell, or backdoor, which could allow hackers to gain access to the company’s systems. The web shell is installed via a vulnerability, tracked as CVE-2023-3519.
Although a patch has been released for the vulnerability, the attackers appear to have struck in the days immediately following its release, meaning many servers had yet to be patched.
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) released an advisory at the time of the patch came out, calling on organisations to apply it as a matter of urgency. It said the vulnerability had been used to launch an attack on US critical national infrastructure.
Now approximately 69% of the infected servers are patched according to NCC Group’s research, but may be failing to scan their networks for signs of intrusion.
“Administrators may have a false sense of security even though an up-to-date NetScaler can still have been backdoored,” a report from NCC Group warns.
Non-profit security organisation the Shadowserver Foundation believes the mass attack took place between July 20-July 21. The patch was released on July 18.
Shadowserver posted research weeks after the patch release showing that more than 640 Citrix NetScaler servers had been infected by web shells, placed to enable remote access.
In total, the NCC Group uncovered 2491 web shells across 1952 distinct NetScalers. Globally there were 31,127 NetScalers vulnerable to CVE-2023-3519 when the campaign was launched, meaning the exploitation campaign compromised 6.3% of vulnerable systems. Most of the targeted systems are in Europe.
Mandiant has released an open source scanning tool to scan Citrix NetScaler servers for indicators of compromise. Researchers have cautioned against running the tool twice, as “certain searches get written into the NetScaler logs whenever the script is run,” which can result in false positives.