Unveiling the NetScaler Exploitation Campaign

Estimated Reading Time: 2 minutes

Recently, a significant incident shed light on the vulnerabilities present in Citrix NetScalers, a popular edge device widely used for load balancing and application delivery. The Dutch Institute of Vulnerability Disclosure (DIVD), in partnership with a third party, uncovered a large-scale exploitation campaign targeting Citrix NetScalers

This blog post delves into the insights provided by this discovery and offers recommendations for safeguarding your systems against similar threats.

Nature of the Exploit

The adversaries behind this campaign exploited the CVE-2023-3519 vulnerability, leveraging an automated approach to compromise vulnerable Citrix NetScalers. This vulnerability allowed them to implant webshells on the targeted devices, providing them with a means to execute arbitrary commands. Astonishingly, even after a NetScaler is patched or rebooted, the webshell persists, granting the adversary unwarranted access to the system.

Scale of the Issue & Observations

The scale of this exploitation campaign is concerning. Initially, over 31,000 NetScalers were found to be vulnerable to the CVE-2023-3519 vulnerability. As of August 14th, around 1,828 NetScalers still harbor backdoors, even though 69% (1,248) of these devices have been patched against the CVE-2023-3519 vulnerability. These statistics highlight an important point: while administrators might take proactive steps to patch their systems, they may overlook the potential for successful exploitation.

Moreover, it’s noteworthy that most of the compromised NetScalers are concentrated in Europe. The exploitation campaign managed to compromise a staggering 6.3% of all vulnerable NetScalers globally, emphasizing the magnitude of the issue.

Recommendations for Mitigation

In light of this discovery, it’s crucial for organizations to take proactive measures to protect their systems:

  • Indicator of Compromise (IoC) Check

    Even if you’ve patched your NetScaler, there’s a chance it might still harbor a backdoor. Administrators should conduct regular IoC checks to ensure the device’s integrity. 

    A Python script has been provided for forensic triage, while Mandiant has contributed a bash script to detect IoCs on live systems.
  • Thorough Investigation

    If an IoC check indicates a compromise, it’s imperative to take swift action. Secure forensic data, initiate a comprehensive investigation into the compromised NetScaler, and assess whether there has been any lateral movement within your network.

Learning from the Incident

This discovery sheds light on the challenges of safeguarding edge devices like NetScalers. The exploitation of CVE-2023-3519 demonstrates that attackers are quick to exploit vulnerabilities even before patches are available, and they can continue to exploit them on a massive scale.

Administrators and IT professionals need to be aware that adversaries can exploit edge devices to establish persistent backdoors. This is a stark reminder that updating to the latest version alone is not sufficient to protect against such threats. Regular checks and vigilance are essential to ensuring the security of critical systems.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog