Online Scans Show More Than 1,200 Patched NetScaler Devices Are Backdoored
Hackers moved faster than system administrators to exploit a zero-day vulnerability in Citrix NetScaler appliances by dropping web shells that remain active even after a patch, warn Dutch security researchers.
Online scans conducted by Delft-based Fox-IT and the nonprofit Dutch Institute for Vulnerability Disclosure show more than 1,200 patched NetScaler devices containing a backdoor inserted by hackers. Attackers appear to have automated exploitation of a flaw allowing them to execute arbitrary commands through a web shell, “even when a NetScaler is patched and/or rebooted.”
Tracked as CVE-2023-3519 and patched in July, the flaw affects Citrix Application Delivery Controller and Gateway appliances configured as gateway servers. Security firms and the U.S. federal government were quick to urge system administrators to patch immediately. The Citrix NetScaler “product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly,” said Rapid7. Fox-IT counted more than 31,000 vulnerable NetScaler devices globally that were vulnerable to the zero-day flaw as of July 21.
As of Aug. 14, Fox-IT said, 1,828 NetScaler instances were compromised with a backdoor, and 1,248 of them had been patched. The firm released a script to detect indicators of compromise, as has Mandiant.
Online scanning shows most of the compromised NetScaler devices are located in Europe, although Fox-IT said the researchers “could not discern a pattern in the targeting.” Hackers apparently using automated processes compromised the same instance multiple times while ignoring large volumes of vulnerable appliances.