Researchers are tracking three separate threat actors that are running active campaigns exploiting the critical CVE-2023-3519 remote code execution bug in the NetScaler ADC and Gateway products that Citrix disclosed last month.
The vulnerability is an unauthenticated RCE flaw in the two products and Citrix released fixes for it on July 18. But attackers had been exploiting the bug for several weeks before the patch was available, and that activity has continued well after the update was published.
“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance,” an advisory from the Cybersecurity and Infrastructure Security Agency from July said. “The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.”
As of August 5, the Shadowserver Foundation identified close to 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances online, and more than 2,500 of those are in the United States.
In the more recent campaigns that Shadowserver has been tracking, attackers are exploiting the vulnerability to install PHP webshells on target hosts. The webshells function as a persistence mechanism for the attackers, giving them ongoing access to the compromised hosts. However, the attackers have not done much with the webshells since they planted them, but that likely will change soon. All three of the campaigns began within days of the Citrix advisory’s publication, showing once again that threat actors pay close attention to public vulnerability disclosures.
Any organization that has not updated its NetScaler or Gateway device at this point should consider that device compromised, researchers said.
“We expect these webshells to be utilized when the timing suits the attacker. This may also happen after all the initial interest has died down and system administrators/security responders are no longer looking closely at their Citrix devices. Make sure you fix your Citrix device before the attacker does it for you,” the Shadowserver pst says.
“With proof-of-concept code now being publicly available, we expect to see a lot more exploitation of these devices.”
In fact, researchers at GreyNoise on Monday began seeing an uptick in exploitation attempts against vulnerable NetScaler ADC and Gateway devices.