Citrix Zero-Day: 7K Instances Remain Exposed, 460 Compromised

Several threat groups are actively exploiting a critical vulnerability in Citrix networking products. Three weeks after Citrix released a patch for its NetScaler ADC and NetScaler Gateway, researchers say nearly 7,000 instances remain exposed on the Web. Of those, around 460 have Web shells installed, likely due to compromise.

On July 18, cloud computing company Citrix published a patch for CVE-2023-3519, a "Critical" 9.8 CVSS-scored zero-day vulnerability, which allows for unauthenticated remote code execution (RCE) in Citrix's NetScaler application delivery controller (ADC) and gateway products.

Since the patch was released, a number of researchers have demonstrated how the vulnerability can be exploited. And attackers — rarely known to pass up an opportunity — have jumped to take advantage of the flaw, installing hundreds of web shells inside of corporate networks and carrying out dozens of exploits already.

And yet, according to data from the Shadowserver Foundation, thousands of exposed NetScaler instances remain unpatched today, and many organizations remain at the mercy of attackers who are installing web shells, and executing commands on internal networks at will.

"It's a complex case, given that Citrix is used in a lot of prominent organizations," says Piotr Kijewski, the CEO at Shadowserver. "We saw quite a few big names that were still vulnerable even a few days ago, including hospitals — these kinds of important institutions. So the potential consequences could be big, if somebody attacks these organizations with ransomware a month from now."

Attackers Move Faster than Defenders

At peak, Shadowserver tracked nearly 18,000 exposed, unpatched instances of NetScaler ADC and Gateway IPs. That number has been falling steadily, but not quickly, as nearly 7,000 remain today, primarily located in North America (2,794) and Europe (2,670).

Source: Shadowserver

For weeks, researchers have documented cases of hackers who are actively compromising these exposed network devices. Just 10 days after the initial disclosure, Shadowserver discovered nearly 700 Web shells installed on NetScaler IPs and are presumed to be associated with instances of CVE-2023-3159 compromises. In the time since that number has fallen, but only by 33%.

Source: Shadowserver

Where initial compromises centered primarily in the EU region (Germany, Switzerland, Italy, and France were the foremost targets) the overwhelming majority of IPs still exposed as of Monday reside in the United States — 2,600 total, compared with 630 in Germany and 425 in the United Kingdom.

Meanwhile, Shadowserver honeypots recorded an increase in the number of active exploitation attempts, with a dozen cases on Sunday alone.

What to Do

Kijewski predicts there will be more compromises to come — both for this CVE and others like it in the future. He points to this spring's MOVEit file transfer vulnerability as a model.

"Threat actors — whether state-sponsored or criminal groups — are dedicating time, money, resources, and skills to this," he explains. "It's been a shift in the last year. Exploits used to be more in the hands of the either well-funded state actors, or researchers who'd release an exploit and then everybody jumps in on the bandwagon. Now even the criminal groups seem to be interested in really targeted vulnerabilities, and reversing them themselves, specifically against code that is usually run in large organizations."

In addition to patching (which may be too late, in many cases), Shadowserver advises that Citrix customers engage their incident response teams, and, if compromised, set up either a new system from scratch, or reboot from a safe backup or snapshot. Today's Web shells, they emphasize, will be tomorrow's cyberattacks.

"We expect these webshells to be utilized when the timing suits the attacker," Shadowserver wrote in its latest update. "This may also happen after all the initial interest has died down and system administrators/security responders are no longer looking closely at their Citrix devices. Make sure you fix your Citrix device before the attacker does it for you."