Citrix servers hacked using zero-day exploit

Even patched servers got compromised

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Roughly 2,000 Citrix NetScaler servers were compromised in what appears to be a large-scale attack against the endpoints. This is according to a new report from cybersecurity researchers Fox-IT, part of NCC Group.

In its report, Fox-IT says the unnamed threat actor leveraged a high-severity vulnerability first discovered in mid-July to breach the servers. The vulnerability is being tracked as CVE-2023-3519, and holds a severity score of 9.8.

It allows threat actors to run code remotely on Citrix NetScaler ADC and NetScaler Gateway. Even though it was disclosed a month ago, hackers managed to use it as a zero-day.

Indicators of compromise

On the day the report was published (August 14), Fox-IT said 1,828 NetScaler servers were compromised, despite the fact that 1,248 were previously patched against the flaw.

“A patched NetScaler can still contain a backdoor,” the researchers explained. “It is recommended to perform an Indicator of Compromise check on your NetScalers, regardless of when the patch was applied.”

Citrix urges admins to patch these dangerous flaws immediately>Hackers are targeting US critical infrastructure using this Citrix zero-day>These are the best malware removal tools around

Citrix NetScaler is a web application delivery controller (ADC) that speeds up apps, reduces web app ownership costs, and ensures higher app availability. According toWhiteHat Virtual Technologies, as of 2021 there were over 200,000,000 sites using Citrix NetScalers, including tech giants such asMicrosoft, eBay, Weather.com, CNET, and MasterCard.

Given the fact that even patched servers were still compromised, users are advised to secure forensic data, aSiliconANGLE reportstates. Fox-IT’s researchers recommend users make a forensic copy of both the disk and the memory of the appliance, before deciding on any course of action. In case of a Citrix appliance being installed on a hypervisor, users can make a snapshot, as well.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Those that find a web shell in their premises should analyze if it was used, and to what end.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

LG Electronics sets ambitious B2B revenue goal to offset declining consumer demand

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics