Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 18 August 2023 – Critical Citrix ADC Backdoor Campaign
Black Arrow Cyber Advisory 18 August 2023 – Critical Citrix ADC Backdoor Campaign
This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.
This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.
Executive Summary
Following the previous advisory on the Citrix Netscaler ADC vulnerability (CVE-2023-3519), the NCC Group has identified that as of 14 August, 1828 Citrix NetScaler servers remain compromised or ‘backdoored’ by attackers. Approximately 69% of the servers that contain a backdoor have been updated to remediate the vulnerability and are no longer vulnerable to CVE-2023-3519. This means that the affected systems were compromised by a malicious actor prior to the updates being applied, allowing the malicious actor to establish persistent access to the systems even after the vulnerability has been remediated.
What’s the risk to me or my business?
Successful exploitation of the vulnerability prior to updating would allow an attacker to perform arbitrary code execution with administrator privileges. The main attack campaign is believed to have taken place between late 20 July to early 21 July. If updates were not applied to affected and vulnerable systems prior to this date, exploitation may have already taken place.
Further information on the vulnerability can be found on our previous advisory linked below.
What can I do?
If you have not already updated to a Citrix version that resolves this vulnerability, Black Arrow recommends applying these updates urgently. All affected systems, updated and vulnerable, should be scanned for indicators of compromise (IoC), Mandiant have released a tool that can help organisations to scan their Citrix devices for evidence of post-exploitation indicators. If IoC’s are identified, then forensic data should be secured by taking a copy of both the disk and the memory of the appliance before any remediation or investigative actions are completed. If evidence of persistence such as a webshell is found, then this should be investigated through threat hunting techniques to establish the extent of the incident whilst conducting containment and remediation activities.
More information on the NetScaler vulnerability:
Information on the Mandiant Tool:
https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519
Further information on the study of the exploited devices:
Previous Advisory: https://www.blackarrowcyber.com/blog/advisory-19-july-2023-citrix-vulns-exploited