Over 640 Citrix servers backdoored with web shells in ongoing attacks (Updated)

[correlate]

Level 18
Thread author
Top Poster
Well-known
May 4, 2019
806
Hundreds of Citrix Netscaler ADC and Gateway servers have already been breached and backdoored in a series of attacks targeting a critical remote code execution (RCE) vulnerability tracked as CVE-2023-3519.
The vulnerability was previously exploited as a zero-day breach of the network of a U.S.A. critical infrastructure organization.
Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, have now disclosed that attackers had deployed web shells on at least 640 Citrix servers in these attacks.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,393

RCE exploited to hack 6% of all vulnerable servers​

Security researchers at cybersecurity company Fox-IT (part of the NCC Group) and the Dutch Institute of Vulnerability Disclosure (DIVD) have discovered a large-scale campaign that planted webshells on Citrix Netscaler servers vulnerable to CVE-2023-3519.

Although the vulnerability received a patch on July 18, hackers started exploiting it in the wild as a zero-day to execute code without authentication.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,393

Citrix ADC Vulnerability IOC Scanner tool available​

Today, Mandiant released a scanner that enables organizations to examine their Citrix ADC and Citrix Gateway devices for signs of compromise and post-exploitation activity.

"The tool is designed to do a best effort job at identifying existing compromises," reads Mandiant's post.

"It will not identify a compromise 100% of the time, and it will not tell you if a device is vulnerable to exploitation."

Mandian't Ctrix IOC Scanner must be run directly on a device or a mounted forensic image, as it will scan the local filesystem and configuration files for the presence of various IOCs.

When finished, the scanner will display a summary detailing if it encountered any signs of compromise […]
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top