Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Citrix servers hacked using zero-day exploit

A blue color image of a person trying to log into a protected laptop.

Roughly 2,000 Citrix NetScaler servers were compromised in what appears to be a large-scale attack against the endpoints. This is according to a new report from cybersecurity researchers Fox-IT, part of NCC Group. 

In its report, Fox-IT says the unnamed threat actor leveraged a high-severity vulnerability first discovered in mid-July to breach the servers. The vulnerability is being tracked as CVE-2023-3519, and holds a severity score of 9.8. 

It allows threat actors to run code remotely on Citrix NetScaler ADC and NetScaler Gateway. Even though it was disclosed a month ago, hackers managed to use it as a zero-day.

Indicators of compromise

On the day the report was published (August 14), Fox-IT said 1,828 NetScaler servers were compromised, despite the fact that 1,248 were previously patched against the flaw. 

“A patched NetScaler can still contain a backdoor,” the researchers explained. “It is recommended to perform an Indicator of Compromise check on your NetScalers, regardless of when the patch was applied.” 

Citrix NetScaler is a web application delivery controller (ADC) that speeds up apps, reduces web app ownership costs, and ensures higher app availability. According to WhiteHat Virtual Technologies, as of 2021 there were over 200,000,000 sites using Citrix NetScalers, including tech giants such as Microsoft, eBay, Weather.com, CNET, and MasterCard. 

Given the fact that even patched servers were still compromised, users are advised to secure forensic data, a SiliconANGLE report states. Fox-IT’s researchers recommend users make a forensic copy of both the disk and the memory of the appliance, before deciding on any course of action. In case of a Citrix appliance being installed on a hypervisor, users can make a snapshot, as well. 

Those that find a web shell in their premises should analyze if it was used, and to what end.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.