Thousands of companies could be at risk from an actively exploited Citrix zero-day that hackers have already abused to target at least one critical infrastructure organization in the United States.
Citrix last week sounded the alarm about the critical-rated flaw, tracked as CVE-2023-3519 with a severity rating of 9.8 out of 10, which impacts NetScaler ADC and NetScaler Gateway devices. These enterprise-facing products are designed for secure application delivery and providing VPN connectivity, and are used extensively worldwide, particularly within critical infrastructure organizations.
Citrix warned that the zero-day could allow an unauthenticated, remote attacker to run arbitrary code on a device and said it has evidence that the vulnerability was exploited in the wild. Citrix released security updates to the vulnerability on July 18 and is urging customers to install the patches as soon as possible.
Days after Citrix’s warning, U.S. cybersecurity agency CISA revealed that the vulnerability had been exploited against a U.S. critical infrastructure organization in June, and was reported to the agency earlier in July.
CISA said that hackers exploited the flaw to drop a webshell on the organization’s NetScaler ADC appliance, enabling them to collect and exfiltrate data from the organization’s Active Directory, including information about users, groups, applications, and devices on the network. But because the targeted appliance was isolated within the organization’s network, the hackers were unable to move laterally and compromise the domain controller.
While this organization successfully managed to ward off the hackers targeting its systems, thousands of other organizations could be at risk. The Shadowserver Foundation, a non-profit organization that works to make the internet more secure, said it has found over 15,000 Citrix servers worldwide at risk of compromise unless patches are applied.
The largest number of unpatched servers are based in the U.S. (5,700), followed by Germany (1,500), the UK (1,000) and Australia (582), according to their analysis.
It’s not yet known who is behind the exploitation of this vulnerability, but Citrix vulnerabilities have been known to be exploited by both financially motivated cybercriminals and state-sponsored threat actors, including groups linked to China.
In a blog post published over the weekend, researchers at Mandiant said that while they cannot yet attribute the intrusions to any known threat group, the activity is “consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADC’s in 2022.” Mandiant added that the intrusions are likely part of an intelligence-gathering campaign, noting that espionage-motivated threat actors continue to target technologies that do not support endpoint detection and response solutions, such as firewalls, IoT devices, hypervisors and VPNs.
“Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments,” the researchers said.