Security News > 2023 > August > (Re)check your patched NetScaler ADC and Gateway appliances for signs of compromise

Administrators of Citrix NetScaler ADC and Gateway appliances should check for evidence of installed webshells even if they implemented fixes for CVE-2023-3519 quickly: A recent internet scan by Fox-IT researchers has revealed over 1,800 backdoored NetScaler devices, 69% of which have been patched for the flaw.

CVE-2023-3519 exploited to drop webshells on NetScaler devices.

"We initially only scanned systems that were not patched on July 21st, as the exploitation was believed to be between July 20th and July 21st. Later, we decided to also scan the systems that were already patched on July 21st. The results exceeded our expectations. Based on the internet wide scan, approximately 2000 unique IP addresses seem to have been backdoored with a webshell as of August 9th," they explained.

The interesting thing about this mass automated attack is that the attackers did not compromise all vulnerable NetScaler devices on July 21, but just 1,952 of them - and most of those devices are located in Europe.

Top 20 countries with backdoored Citrix NetScaler devices as of August 14th 2023.

"If a webshell is found, investigate whether it has been used to perform activities. Usage of the webshell should be visible in the NetScaler access logs. If there are indications that the webshell has been used to perform unauthorised activities, it is essential to perform a larger investigation, to identify whether the adversary has successfully taken steps to move laterally from the NetScaler, towards another system in your infrastructure."

News URL

https://www.helpnetsecurity.com/2023/08/16/netscaler-cve-2023-3519-webshells/