Recently, a significant incident shed light on the vulnerabilities present in Citrix NetScalers, a popular edge device widely used for load balancing and application delivery. The Dutch Institute of Vulnerability Disclosure (DIVD), in partnership with a third party, uncovered a large-scale exploitation campaign targeting Citrix NetScalers.
This blog post delves into the insights provided by this discovery and offers recommendations for safeguarding your systems against similar threats.
Nature of the Exploit
The adversaries behind this campaign exploited the CVE-2023-3519 vulnerability, leveraging an automated approach to compromise vulnerable Citrix NetScalers. This vulnerability allowed them to implant webshells on the targeted devices, providing them with a means to execute arbitrary commands. Astonishingly, even after a NetScaler is patched or rebooted, the webshell persists, granting the adversary unwarranted access to the system.
Scale of the Issue & Observations
The scale of this exploitation campaign is concerning. Initially, over 31,000 NetScalers were found to be vulnerable to the CVE-2023-3519 vulnerability. As of August 14th, around 1,828 NetScalers still harbor backdoors, even though 69% (1,248) of these devices have been patched against the CVE-2023-3519 vulnerability. These statistics highlight an important point: while administrators might take proactive steps to patch their systems, they may overlook the potential for successful exploitation.
Moreover, it’s noteworthy that most of the compromised NetScalers are concentrated in Europe. The exploitation campaign managed to compromise a staggering 6.3% of all vulnerable NetScalers globally, emphasizing the magnitude of the issue.
Recommendations for Mitigation
In light of this discovery, it’s crucial for organizations to take proactive measures to protect their systems:
- Indicator of Compromise (IoC) Check
Even if you’ve patched your NetScaler, there’s a chance it might still harbor a backdoor. Administrators should conduct regular IoC checks to ensure the device’s integrity.
A Python script has been provided for forensic triage, while Mandiant has contributed a bash script to detect IoCs on live systems.
- Thorough Investigation
If an IoC check indicates a compromise, it’s imperative to take swift action. Secure forensic data, initiate a comprehensive investigation into the compromised NetScaler, and assess whether there has been any lateral movement within your network.
Learning from the Incident
This discovery sheds light on the challenges of safeguarding edge devices like NetScalers. The exploitation of CVE-2023-3519 demonstrates that attackers are quick to exploit vulnerabilities even before patches are available, and they can continue to exploit them on a massive scale.
Administrators and IT professionals need to be aware that adversaries can exploit edge devices to establish persistent backdoors. This is a stark reminder that updating to the latest version alone is not sufficient to protect against such threats. Regular checks and vigilance are essential to ensuring the security of critical systems.↑