Citrix zero-day hack impacts thousands of NetScaler servers


Nearly 2,000 Citrix NetScaler servers have been compromised in a global campaign, with attackers installing backdoors using a recently discovered critical bug, researchers find.

Malicious actors have exploited a bug tracked as CVE-2023-3519, placing webshells on vulnerable NetScalers to gain access. Researchers at cybersecurity firm Fox-IT (part of the NCC Group) and the Dutch Institute of Vulnerability Disclosure (DIVD) say that attackers can execute commands even after NetScaler is patched.

NetScaler is a software-based application delivery controller (ADC) solution normally installed in data centers to manage incoming traffic flow. The ADC works as a sort of traffic cop between users and servers that run websites.

ADVERTISEMENT

Installing backdoors on NetScaler instances opens many opportunities for malicious actors, as they could access the traffic flow, steal sensitive data, launch further attacks, and even manipulate traffic going through the ADC.

Researchers discovered that 1,900 NetScalers were backdoored and informed the victims about the issue. The majority of those, nearly 1,300, were patched for CVE-2023-3519. Worryingly, over 31,000 NetScaler instances were still vulnerable to the bug.

“At the time of writing, approximately 69% of the NetScalers that contain a backdoor are not vulnerable anymore to CVE-2023-3519. This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation,” FoxIt’s blog said.

This means that some system administrators are currently operating on a false sense of security, having patched the issue while still having backdoored NetScaler instances.

Europe appears to be most affected by the issue, with Germany topping the list of impacted countries, followed by France and Switzerland. Out of the top 10 affected countries, only two are outside Europe.