Thursday, May 30, 2024

Over 640 Citrix servers backdoored with internet shells in ongoing assaults


Tons of of Citrix Netscaler ADC and Gateway servers have already been breached and backdoored in a sequence of assaults focusing on a important distant code execution (RCE) vulnerability tracked as CVE-2023-3519.

The vulnerability was beforehand exploited as a zero-day to breach the community of a U.S. important infrastructure group.

Safety researchers from the Shadowserver Basis, a non-profit group devoted to enhancing web safety, now disclosed that attackers had deployed internet shells on not less than 640 Citrix servers in these assaults.

“We are able to say it is pretty commonplace China Chopper however we don’t wish to disclose extra below the circumstances. I can say the quantity we detect is way decrease than the quantity we imagine to be on the market, sadly,” Shadowserver CEO Piotr Kijewski advised BleepingComputer.

China Chopper web shell example
China Chopper internet shell instance (BleepingComputer)

​”We report on compromised home equipment with webshells in your community (640 for 2023-07-30). We’re conscious of widespread exploitation occurring July twentieth already,” Shadowserver mentioned on their public mailing record.

“When you didn’t patch by then please assume compromise. We imagine the precise quantity of CVE-2023-3519 associated webshells to be a lot larger than 640.”

About two weeks in the past, the depend of Citrix home equipment weak to CVE-2023-3519 assaults stood at round 15,000. Nonetheless, that quantity has since dropped to below 10,000, indicating some progress in mitigating the vulnerability.

Map of compromised Citrix servers
Map of compromised Citrix servers (Shadowserver)

​Citrix launched safety updates on July 18th to handle the RCE vulnerability, acknowledging that exploits had been noticed on weak home equipment and urging clients to put in the patches immediately.

The vulnerability primarily impacts unpatched Netscaler home equipment configured as gateways (VPN digital server, ICA Proxy, CVPN, RDP Proxy) or authentication digital servers (AAA server).

Along with addressing CVE-2023-3519, Citrix additionally patched two different high-severity vulnerabilities the identical day, CVE-2023-3466 and CVE-2023-3467, which may very well be exploited for mirrored cross-site scripting (XSS) assaults and privilege escalation to root.

In response to ongoing assaults, CISA ordered U.S. federal companies to safe Citrix servers on their networks by August ninth.

The warning additionally highlighted that the vulnerability had already been exploited to breach the programs of a U.S. important infrastructure group.

“In June 2023, menace actors exploited this vulnerability as a zero-day to drop a webshell on a important infrastructure group’s NetScaler ADC equipment,” CISA mentioned.

“The webshell enabled the actors to carry out discovery on the sufferer’s energetic listing (AD) and acquire and exfiltrate AD knowledge. The actors tried to maneuver laterally to a website controller however network-segmentation controls for the equipment blocked motion.”

Related Articles


Please enter your comment!
Please enter your name here

Stay Connected

- Advertisement -spot_img

Latest Articles