- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Hundreds of Citrix Endpoints Compromised With Webshells
Around 600 global Citrix servers have been compromised by a zero-day exploit enabling webshells to be installed, according to a non-profit tracking the ongoing campaign.
The Shadowserver Foundation tweeted yesterday that the number of impacted endpoints stood at 581, but the figure is thought to be just the tip of the iceberg.
The biggest number of impacted IPs are based in Germany, followed by France and Switzerland.
Read more on Citrix vulnerabilities: Citrix Admins Urged to Act as PoC Exploits Surface
As reported by Infosecurity last week, the malicious campaign exploits zero-day vulnerability CVE-2023-3519 to compromise NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway servers.
The unauthenticated remote code execution vulnerability was patched by Citrix on July 15 and has a CVSS score of 9.8.
“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned at the time. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”
At the time, Citrix also patched two other vulnerabilities: reflected cross-site scripting bug CVE-2023-3466, and CVE-2023-3467, which enables privilege escalation to root administrator.
The Shadowserver Foundation, which monitors malicious internet activity across the globe, alerted Citrix users to the campaign last week. It warned that over 15,000 NetScaler ADC and NetScaler Gateway servers were at risk of compromise, with the biggest number based in the US, followed by Germany, the UK and Australia.
The zero-day was originally exploited to drop webshells onto an unnamed US critical infrastructure organization’s non-production environment, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data,” it continued. “The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement.”
That attack happened back in June.
Editorial image credit: Ken Wolter / Shutterstock.com