Nearly 2,000 Citrix NetScaler servers have been infected with a web shell using a recently patched vulnerability as part of a large-scale hacking campaign, according to researchers at cybersecurity outfit Fox IT owned by the British information assurance firm NCC Group.
“An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted,” the researchers noted.
CVE-2023-3519 is a code injection flaw that can lead to remote code execution, while two other flaws are cross-site scripting and improper access control issue that could be used by a remote hacker to carry out cross-site scripting (XSS) attacks or escalate privileges on the system.
Last month, the non-profit organization Shadowserver Foundation warned that more than 15,000 Citrix servers remain vulnerable to attacks using CVE-2023-3519.
The latest analysis from NCC Group shows that 1,828 NetScaler servers “remain backdoored”, out of which around 1,248 are already patched against the vulnerability.
“At the time of writing, approximately 69% of the NetScalers that contain a backdoor are not vulnerable anymore to CVE-2023-3519. This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation,” the researchers said.
The majority of compromised servers are located in Germany, France, Switzerland, Japan, Italy, Spain, the Netherlands, Ireland, Sweden, and Austria.
