• As of August 14, 1,828 NetScalers are still compromised, per Fox-IT. Surprisingly, among these, 1,248 had been patched for CVE-2023-3519.
  • The report underscores that despite proactive measures like updates and patches, devices remain vulnerable to compromise.

In a recent report, Fox-IT, a subsidiary of NCC Group PLC, described how a threat actor exploited about 2,000 Citrix NetScalers to gain persistent access.

Citrix Systems Inc. provides Citrix NetScaler as an application delivery controller and load-balancing solution. The devices ensure that application performance is maintained and downtime is kept to a minimum by spreading traffic across multiple servers while delivering applications over public and private networks.

The threat actor is exploiting a set of vulnerabilities first reported on July 18 to target Citrix NetScaler installations. The vulnerabilities became public only after security firms had observed instances of exploitation in real-world scenarios.

In cooperation with the Dutch Institute of Vulnerability Disclosure, Fox-IT discovered that 31,127 NetScaler devices were susceptible to CVE-2023-3519, one of the significant vulnerabilities found in July. As per the U.S. National Institute of Standards and Technology, CVE-2023-3519 is a significant code injection vulnerability in Citrix NetScaler ADC and NetScaler Gateway, scoring 9.8 out of 10 in severity.

Also discovered by Fox-IT as of August 14 are 1,828 NetScalers that are still “backdoored.” What is surprising, though, is that 1,248 of the 1,828 compromised NetScalers had CVE-2023-3519 patches applied.

Researchers from Fox-IT wrote in their post, “A patched NetScaler can still contain a backdoor. It is recommended to perform an Indicator of Compromise check on your NetScalers, regardless of when the patch was applied.”

Despite the small numbers, the report’s main takeaway is that devices can still be compromised even with the best intentions—including installing all updates and fixing all vulnerabilities.

It is advised for users of Citrix NetScalers who might have been compromised to secure forensic data. Before performing any remediation or investigational actions, Fox-IT urges making a forensic copy of the appliance’s memory and disk. A snapshot can be created for a subsequent investigation if the Citrix appliance is set up on a hypervisor.

Users of Citrix NetScaler are urged to check the NetScaler access logs to see if a web shell has been used to carry out any operations. Users should determine whether the adversary has successfully moved away from the NetScaler and toward another system in their infrastructure if there are signs that the web shell has been used for improper purposes.