Citrix ADC and Gateways: Lingering Backdoors Despite Patching

A recent report by researchers from Fox-IT, part of NCC Group, has revealed that nearly 1,900 Citrix networking products have been backdoored as part of a large-scale automated campaign. The campaign targeted a known vulnerability, CVE-2023-3519, exploiting Citrix Netscaler Application Delivery Controllers (ADC) and Citrix Netscaler Gateways. The presence of the web shell in the compromised appliances allows the adversaries to remotely execute arbitrary commands, even after the appliance has been updated and rebooted. This attack highlights the persistent threat posed by cyber espionage actors, particularly targeting edge devices such as security, networking, and virtualization technologies.

The vulnerability, CVE-2023-3519, was first disclosed and patched in July. Mandiant researchers identified multiple web shells that attackers have been using to manipulate the configuration of the NetScaler and to disable processes and services. Although most administrators were aware of the vulnerability and applied the patch, they failed to check their NetScalers for signs of successful exploitation. This oversight allowed the backdoors to remain undetected, highlighting the importance of thorough investigation even after applying security patches.

The automated campaign, estimated to have taken place between July 20 and July 21, targeted a total of 31,127 vulnerable NetScalers. As of August 14, 1,828 NetScalers were found to have been compromised with some form of backdoor. Interestingly, while the majority of the compromised systems were located in Europe, vulnerable NetScalers in Canada, Russia, and the United States did not have any web shells installed. This suggests that the campaign was specific to certain regions.

Mandiant researchers noted that this campaign aligns with previous activities observed from espionage threat actors connected to China. They confirmed that similar operations, including attacks on Citrix appliances in the past, point toward the involvement of groups with China-nexus. These well-resourced adversaries have a history of exploiting zero-day vulnerabilities and deploying custom malware to gain long-term access to target environments.

The Fox-IT research team recommends diligent actions to mitigate the risk posed by this campaign. While updating and rebooting the systems is an important step, it is not sufficient on its own. Enterprise defenders should conduct thorough checks on their NetScalers for signs of compromise, regardless of when the patch was applied. The researchers suggest using Mandiant’s Indicator of Compromise (IoC) Scanner, a bash script designed to detect indicators of compromise in NetScaler appliances. If a web shell is found, defenders should also analyze the NetScaler access logs for any evidence of the shell being used.

If signs of compromise are detected, further investigation is necessary to determine whether the adversaries have managed to move laterally through the network. This requires a comprehensive assessment of the network and security infrastructure to ensure that all traces of compromise are identified and mitigated.

The large-scale backdooring campaign targeting Citrix networking products highlights the ongoing threat posed by cyber espionage actors. It underscores the need for organizations to prioritize security measures and consistently check for signs of compromise even after applying patches. The involvement of China-nexus groups, as observed by Mandiant researchers, further underscores the sophistication and persistence of these actors.

As technology advances and the digital landscape continues to evolve, it is imperative for both organizations and individuals to remain vigilant about internet security. Regular updates, robust security practices, and proactive detection and response are key to mitigating the risks associated with cyber threats.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The New York Times.