Around 600 global Citrix servers have been compromised by a zero-day exploit enabling webshells to be installed, according to a non-profit tracking the ongoing campaign.
The Shadowserver Foundation tweeted on 2 August that the number of impacted endpoints stood at 581, but the figure is thought to be just the tip of the iceberg.
The biggest number of impacted IPs are based in Germany, followed by France and Switzerland.
The unauthenticated remote code execution vulnerability was patched by Citrix on July 15 and has a CVSS score of 9.8.
“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned at the time. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”
The Shadowserver Foundation, which monitors malicious internet activity across the globe, alerted Citrix users to the campaign last week. It warned that over 15,000 NetScaler ADC and NetScaler Gateway servers were at risk of compromise, with the biggest number based in the US, followed by Germany, the UK and Australia.
The zero-day was originally exploited to drop webshells onto an unnamed US critical infrastructure organization’s non-production environment, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data,” it continued. “The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement.”
That attack happened back in June 2023.
Editorial image credit: Ken Wolter / Shutterstock.com
About 2,000 Citrix NetScalers were compromised in automated massive attack campaigns. Find out more about the threat actors and how to protect from them.
Threat actors have been exploiting a NetScaler appliance vulnerability to get persistent access to the compromised systems. Find out which NetScaler systems are affected, how attackers are hitting vulnerable systems worldwide and how to protect your business from this cybersecurity attack.
Citrix published a security bulletin on July 18, 2023 about three vulnerabilities in NetScaler ADC and NetScaler Gateway: CVE-2023-3519, CVE-2023-3466 and CVE-2023-3467. This bulletin detailed exploits on CVE-2023-3519 observed in the wild on unmitigated appliances. Affected systems are:
ZScaler, a cloud security company, provided more details on how the NetScaler vulnerability can be triggered and allow an unauthenticated attacker to execute arbitrary code as the root user. A specially crafted HTTP GET request can be used to trigger a stack buffer overflow in the NetScaler Packet Processing Engine, which runs as root (Figure A). A proof of concept is available on GitHub.
Fox-IT, part of the information assurance firm NCC Group based in the U.K., responded to several incidents related to the vulnerability in July and August 2023, with several web shells found during the investigations. This is consistent with other reports such as the one from the nonprofit organization Shadowserver Foundation and trusted partners making the internet more secure.
Following those discoveries, Fox-IT scanned accessible NetScalers on the internet for known web shell paths. The researchers found that approximately 2,000 unique IP addresses were probably backdoored with a webshell as of Aug. 9, 2023. Fox-IT’s discoveries were shared with the Dutch Institute for Vulnerability Disclosure, which notified administrators of the vulnerable systems.
SEE: get TechRepublic Premium’s network and systems security checklist.
Shadowserver reported the U.S. is the country with the most unique IPs of unpatched systems, with more than 2,600 unique IPs being vulnerable to CVE-2023-3519 (Figure B).
Fox-IT reported that approximately 69% of the NetScalers that currently contain a web shell backdoor are not vulnerable anymore to CVE-2023-3519; this means that, while most administrators have deployed the fixes, they have not carefully checked the systems for signs of successful exploitation and are still compromised. The company provides a map of compromised NetScaler appliances by country (Figure C).
Most compromised NetScalers are located in Europe. Fox-IT researchers stated that “there are stark differences between countries in terms of what percentage of their NetScalers were compromised. For example, while Canada, Russia and the United States of America all had thousands of vulnerable NetScalers on July 21, virtually none of these NetScalers were found to have a webshell on them. As of now, we have no clear explanation for these differences, nor do we have a confident hypothesis to explain which NetScalers were targeted by the adversary and which ones were not.”
In addition, the Cybersecurity and Infrastructure Security Agency reported web shell implants exploiting CVE-2023-3519. The report noted that attackers exploited the vulnerability as early as June 2023 and used the web shell to extend their compromise and exfiltrate the Active Directory of a critical infrastructure organization. The threat actor managed to access NetScale configuration files and decryption keys and used the decrypted AD credential to query the AD and exfiltrate the collected data.
While this critical infrastructure used segmentation that did not allow attackers to move further with their attacks, it is possible that other organizations might be fully compromised by threat actors using the same methods.
Dave Mitchell, chief technical officer at cybersecurity company HYAS, stated that “unfortunately, this is far from the first time this has happened in latest memory. In previous campaigns, attackers gained footholds within F5, Fortinet and VMware appliances through exposed management interfaces in order to avoid detection by EDR software. Regardless if the exploit is already in the wild, customers are expected to monitor their devices for the IOCs before and after the patch is applied — which is obviously not at an acceptable level. The reason for this gap may be education, outsourced managed devices or division of security labor within an organization, but I do not expect attacks on network devices to stop anytime soon.”
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Thousands of companies could be at risk from an actively exploited Citrix zero-day that hackers have already abused to target at least one critical infrastructure organization in the United States.
Citrix last week sounded the alarm about the critical-rated flaw, tracked as CVE-2023-3519 with a severity rating of 9.8 out of 10, which impacts NetScaler ADC and NetScaler Gateway devices. These enterprise-facing products are designed for secure application delivery and providing VPN connectivity, and are used extensively worldwide, particularly within critical infrastructure organizations.
Citrix warned that the zero-day could allow an unauthenticated, remote attacker to run arbitrary code on a device and said it has evidence that the vulnerability was exploited in the wild. Citrix released security updates to the vulnerability on July 18 and is urging customers to install the patches as soon as possible.
Days after Citrix’s warning, U.S. cybersecurity agency CISA revealed that the vulnerability had been exploited against a U.S. critical infrastructure organization in June, and was reported to the agency earlier in July.
CISA said that hackers exploited the flaw to drop a webshell on the organization’s NetScaler ADC appliance, enabling them to collect and exfiltrate data from the organization’s Active Directory, including information about users, groups, applications and devices on the network. But because the targeted appliance was isolated within the organization’s network, the hackers were unable to move laterally and compromise the domain controller.
While this organization successfully managed to ward off the hackers targeting its systems, thousands of other organizations could be at risk. The Shadowserver Foundation, a nonprofit organization that works to make the internet more secure, said it has found more than 15,000 Citrix servers worldwide at risk of compromise unless patches are applied.
The largest number of unpatched servers are based in the U.S. (5,700), followed by Germany (1,500), the U.K. (1,000) and Australia (582), according to their analysis.
It’s not yet known who is behind the exploitation of this vulnerability, but Citrix vulnerabilities have been known to be exploited by both financially motivated cybercriminals and state-sponsored threat actors, including groups linked to China.
In a blog post published over the weekend, researchers at Mandiant said that while they cannot yet attribute the intrusions to any known threat group, the activity is “consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADC’s in 2022.” Mandiant added that the intrusions are likely part of an intelligence-gathering campaign, noting that espionage-motivated threat actors continue to target technologies that do not support endpoint detection and response solutions, such as firewalls, IoT devices, hypervisors and VPNs.
“Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments,” the researchers said.
Ryan Menezes is a professional writer and blogger. He has a Bachelor of Science in journalism from Boston University and has written for the American Civil Liberties Union, the marketing firm InSegment and the project management service Assembla. He is also a member of Mensa and the American Parliamentary Debate Association.
A zero-day vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway appears to be being exploited by an unspecified advanced persistent threat (APT) actor backed by the Chinese government and should be patched immediately.
Per Citrix’s initial advisory released on Tuesday 18 July, the three vulnerabilities patched by Citrix affect multiple versions of the NetScaler ADC (previously Citrix ADC) and NetScaler Gateway (previously Citrix Gateway) lines.
They are tracked as CVE-2023-3466, a reflected cross-site scripting flaw; CVE-2023-3467, a privilege escalation vulnerability; and CVE-2023-3519, an unauthenticated remote code execution (RCE) bug.
Of these, the issue of concern is the RCE vulnerability, CVE-2023-3519, which carries a CVSS score of 9.8, and it is this bug that was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) list on 20 July.
The addition of a vulnerability to the KEV list mandates that US government bodies must address it by a set date. It carries no weight beyond this, but inclusion on this list is a sure sign that attention should be paid by all organisations.
According to the CISA, the threat actor exploited CVE-2023-3519 to drop a webshell on a non-production environment NetScaler ADC appliance owned by an operator of critical national infrastructure (CNI).
Using this webshell, the actor then attempted to perform discovery actions on the victim’s active directory (AD) and exfiltrate data from it. They then tried to move laterally to a domain controller, but were thwarted in this instance when the appliance’s network-segmentation controls kicked in.
In this instance, the victim organisation was able to swiftly identify the compromise and duly reported the incident to both CISA and Citrix.
Assessing the impact of CVE-2023-3519, researchers at Mandiant, which played a key role in the initial investigation, said that because ADC devices are predominantly used in the IT sector and form a vital component of enterprise cloud datacentres, when it comes to ensuring the optimal delivery of enterprise applications, they present a tempting target.
However, wrote the analyst team, comprising James Nugent, Foti Castelan, Doug Bienstock, Justin Moore and Josh Murchie, Chinese threat actors often target devices that sit at the edge of the network because they can be harder to monitor, and very often don’t support intrusion detection solutions.
“Mandiant cannot attribute this activity based on the evidence collected thus far,” the team wrote. “However, this type of activity is consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADCs in 2022.
“The evolution of the China-nexus cyber threat landscape has evolved to such an extent that its ecosystem mirrors more closely that of financial crime clusters, with connections and code overlap not necessarily offering the comprehensive picture.”
Beyond applying the patch, Mandiant is additionally recommending that if any affected appliances are found to have been exploited, they should be rebuilt immediately. This upgrade process will overwrite some, but not all, of the directories where threat actors may drop webshells.
Security teams may also wish to re-evaluate whether or not their ADC or Gateway appliances’ management ports need unrestricted internet access, and limit access to only necessary IP addresses, which would make post-exploitation activities harder going forward.
Based on some of the other tactics, techniques and procedures (TTPs) outlined in Mandiant’s write-up, the research team is also recommending that affected organisations rotate all secrets stored in the configuration file, and any private keys or certificates useable for transport layer security (TLS) connections.
They may also wish to harden susceptible accounts in the domain to protect against credential exposure and limit a threat actor’s ability to obtain credentials for lateral movement.
Formerly known as Xenmobile, Citrix Endpoint Manager is a unified device management system that provides a simplified platform for IT departments to monitor and administer hardware of all types.
With features beyond the scope of standard Mobile Device Management (MDM) products, Citrix Endpoint Manager supports all commercially available mobile operating systems and desktop OSs. Offered stand-alone or as part of a more comprehensive selection of Citrix business software, Citrix Endpoint Manager aims to be seamless for the end user and effortless for the IT department to manage.
Citrix Endpoint Manager is an upgraded version of Xenmobile, offering additional features.
In addition to the usual MDM functionalities like compliance management and application control, Citrix Endpoint Manager provides all the necessary tools for end-users to carry out their tasks. It offers a comprehensive BYOD management system with hassle-free enrollment and supports handheld scanners and similar endpoints.
The system enables easy tracking and identification of both devices and users, allowing for managing content viewed on devices (whether online or on corporate servers), deployment of software and apps, and assignment and withdrawal of permissions. The comprehensive inventory can be managed and grouped by device and other parameters, and policies can be applied and adjusted across hardware and users, all from the admin screen of Citrix Endpoint Manager.
The Citrix Endpoint Manager is a powerful tool that operates seamlessly within a standard Citrix Workspace environment. It offers a comprehensive suite of tools and features for managing devices and applications within an organization.
With the ability to integrate with existing workspaces, the Endpoint Manager makes it easy to enroll devices and manage app distribution or restrictions across the network. To enroll devices, a console with all the necessary tools is provided, and end users can use the AutoDiscovery feature for enrollment, making the process simpler and reducing the workload on the MDM administrator.
An Apple Push Notifications developer account is required for Apple hardware, while Android devices require an organizational Google account and a Google Play account.
With the Citrix Endpoint Manager, organizations can streamline device management processes and Boost productivity and security.
Citrix Endpoint Manager offers integrated administration of Android and Android Enterprise, Chrome OS, macOS, iOS, tvOS, iPadOS, and Windows 10 devices. Only macOS and tvOS cannot be found on mobile hardware. Linux is only supported by a Citrix Ready workspace hub compatible with the Raspberry Pi 3.
Citrix Endpoint Manager can access and control these devices' management systems. So, for example, the Unified Endpoint Management capability in Windows 10 can be used to enroll and manage Windows 10 tablets and hybrids. Similarly, Citrix Endpoint Manager can access mobile device data, app information, and control security and other aspects in iOS for iPhone and iPadOS for the Apple iPad.
Additionally, Citrix Endpoint Manager supports Alexa for Business, making it the ideal choice for managing and administering mobile IoT devices and integrating those with the usual MDM hardware. Need to start a projector or dim the lights in the conference room? Those integrations can be handled from a permitted mobile device across the Citrix Endpoint Manager environment.
Citrix Endpoint Manager prioritizes both hardware and user compatibility. Rather than restricting users to specific devices, it takes a flexible approach, allowing organizations to determine the best machines, apps, and software vendors for their IT, colleagues, and overall business needs.
Citrix Workspace is a unified platform that can be accessed across devices and profiles, ensuring that users have the necessary tools on the hardware they use. Enrollment is simple and usually doesn't require repetition.
From an administrative perspective, each user and device can be easily managed through a user-friendly interface that provides analysis data. This interface allows you to monitor compliance information device statistics by platform and carrier and manage device security, apps, and permissions.
Are you looking for pricing options for Citrix? They offer different packages that can be scaled according to the needs of your business.
The Stand-alone package integrates with other Citrix products and supports major platforms and hardware. This package costs $4 per user or $3 per monthly device.
Workspace Premium is a more comprehensive solution that costs $18 per user per month. This package offers a secure interface to access apps and files, including Citrix Endpoint Manager and other notable Citrix products.
Workspace Premium Plus costs $25 per user per month and includes hybrid deployment options for Citrix Virtual Apps and Desktops, with cloud management.
To know how much Citrix Endpoint Manager may cost, visit their website, which provides a helpful calculator. Simply choose a plan, usage type, and quantity to get an estimation (actual prices may vary).
For instance, if you have 500 users and choose the Stand-alone package on a one-year contract, it would cost $4.83 per user per month. If you choose a three-year contract, you could save 20% and pay only $3.87 per user monthly.
When selecting a mobile device management (MDM) solution, many factors must be considered. One important consideration is the offerings provided by established players in organizational collaboration networks. Citrix Endpoint Manager is a strong contender in this space due to its wide assortment of features and tools and its straightforward device enrollment process.
If your network is already utilizing Citrix Workspace or requires an upgrade, then choosing Citrix Endpoint Manager would be a sensible decision. The necessary operating systems and server software have already been installed, and the server hardware is operational. If your budget permits, transitioning to Citrix Endpoint Manager within an existing Citrix environment may be your most appropriate option.
With its powerful management capabilities and user-friendly interface, Citrix Endpoint Manager can help streamline your organization's mobile device management processes, allowing you to focus on what matters - your business.
Whether managing a small team of mobile workers or a large enterprise with thousands of devices, Citrix Endpoint Manager has the tools and features you need to succeed. So why not try it today and see how it can help take your mobile device management to the next level?
Outline the fiction writing process and challenge your students to be creative. This worksheet explains how to outline a short story, and then asks young writers to create a plot of their own. But first they’ll have to come up with a main character! This fifth-grade writing exercise pushes students to think about cohesive sequencing, organization, and style.
Add to collection
Add to assignment
Hundreds of Citrix Netscaler ADC and Gateway servers have already been breached and backdoored in a series of attacks targeting a critical remote code execution (RCE) vulnerability tracked as CVE-2023-3519.
The vulnerability was previously exploited as a zero-day to breach the network of a U.S. critical infrastructure organization.
Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, now disclosed that attackers had deployed web shells on at least 640 Citrix servers in these attacks.
"We can say it's fairly standard China Chopper but we do not want to disclose more under the circumstances. I can say the amount we detect is much lower than the amount we believe to be out there, unfortunately," Shadowserver CEO Piotr Kijewski told BleepingComputer.
"We report on compromised appliances with webshells in your network (640 for 2023-07-30). We are aware of widespread exploitation happening July 20th already," Shadowserver said on their public mailing list.
"If you did not patch by then please assume compromise. We believe the genuine amount of CVE-2023-3519 related webshells to be much higher than 640."
About two weeks ago, the count of Citrix appliances vulnerable to CVE-2023-3519 attacks stood at around 15,000. However, that number has since dropped to under 10,000, indicating some progress in mitigating the vulnerability.
Citrix released security updates on July 18th to address the RCE vulnerability, acknowledging that exploits had been observed on vulnerable appliances and urging customers to install the patches without delay.
The vulnerability primarily impacts unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server).
In addition to addressing CVE-2023-3519, Citrix also patched two other high-severity vulnerabilities the same day, CVE-2023-3466 and CVE-2023-3467, which could be exploited for reflected cross-site scripting (XSS) attacks and privilege escalation to root.
In response to ongoing attacks, CISA ordered U.S. federal agencies to secure Citrix servers on their networks by August 9th.
The warning also highlighted that the vulnerability had already been exploited to breach the systems of a U.S. critical infrastructure organization.
"In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's NetScaler ADC appliance," CISA said.
"The webshell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement."
Ransomware gangs, including REvil and DoppelPaymer, have taken advantage of similar Citrix Netscaler ADC and Gateway vulnerabilities to breach corporate networks in past attacks.
This highlights the pressing need for security teams to make patching Citrix servers a top priority on their to-do lists.
Hackers are exploiting a newly discovered vulnerability in yet another enterprise file transfer software, the U.S. government’s cybersecurity agency has warned.
CISA on Wednesday added a vulnerability in Citrix ShareFile, tracked as CVE-2023-24489, to its Known Exploited Vulnerabilities (KEV) catalog. The agency warned that the flaw poses “significant risks to the federal enterprise,” and mandated that federal civilian executive branch agencies — CISA included — apply vendor patches by September 6.
Citrix first released a warning about the vulnerability back in June. The flaw, which was given a vulnerability severity rating of 9.8 out of 10, is described as an improper access control bug that could allow an unauthenticated attacker to remotely compromise customer-managed Citrix ShareFile storage zones controllers, no passwords needed.
While Citrix ShareFile is predominantly a cloud-based file-transfer tool, it also provides a “storage zones controller” tool that enables organizations to store files on-premise or with supported cloud platforms, such as Amazon S3 and Windows Azure.
According to Dylan Pindur of Assetnote, who first discovered the vulnerability and warned that it stems from small errors in ShareFile’s implementation of AES encryption, as many as 6,000 organizations had publicly exposed instances as of July.
“A search online shows roughly 1,000-6,000 instances are internet accessible,” said Pindur. “This popularity, combined with the software being used to store sensitive data, meant if we found anything it could have quite an impact.”
Threat intelligence startup GreyNoise said it observed a “significant spike” in attacker activity after CISA published its warning about the ShareFile vulnerability.
The identity of the hackers behind the observed in-the-wild attacks is not yet known.
Corporate file-transfer software has become a popular target for hackers as these systems often store huge batches of highly sensitive data.
The Russia-linked Clop ransomware gang alone has claimed responsibility for targeting at least three corporate tools, including Accellion‘s MTA, Fortra’s GoAnywhere MFT and — most recently — Progress’ MOVEit Transfer.
According to the latest data from cybersecurity company Emsisoft, the ongoing MOVEit mass-attacks have so far claimed 668 victim organizations, affecting more than 46 million individuals. Just this week, it was revealed that more than four million Americans had their sensitive medical and health information stolen after IBM fell victim to the MOVEit hackers.