Automated massive attack campaigns compromised about 2,000 Citrix NetScalers after exploiting an appliance-vulnerability. The threat actors were able to get persistent access to the compromised systems through the attack. Fox-IT responded to several incidents related to the vulnerability in July and August 2023 and discovered several web shells during the investigation.
Fox-IT scanned accessible NetScalers on the internet for known web shell paths and discovered approximately 2,000 unique IP addresses were most likely backdoor with a web shell as of August 9, 2023. The United States is the country with the most unique IPs of unpatched systems, with more than 2,600 IPs being vulnerable to CVE-2023-3519. Approximately 69% of the NetScalers that contain a web shell are not vulnerable to CVE-2023-3519 because fixes have been deployed, but the systems have not been checked for successful exploitation.
Attackers exploiting the vulnerability used the web shell to extend their compromised and exfiltrate the Active Directory of a critical infrastructure organization. While this critical infrastructure used segmentation and attackers were not able to move forward with their attacks, other organizations may be compromised by threat actors using the same methods. It is recommended that vulnerable Citrix NetScaler appliances be updated and patched.
Read More: About 2000 Citrix NetScalers Were Compromised in Massive Attack Campaigns
