Researchers from Fox-IT, part of the NCC Group, have found that adversaries have planted web shells on vulnerable Citrix NetScaler Application Delivery Controllers (ADCs) and Citrix NetScaler Gateways to maintain remote access and execute commands even after the devices have been updated or rebooted. The presence of these web shells allows attackers to modify NetScaler configurations, stop processes, and disable services. Cyberespionage threat actors have been targeting edge devices like security, networking, and virtualization technologies since at least 2021 to gain persistent access to victims’ networks undetected.
During an automated campaign between July 20 and 21, Fox-IT researchers estimated that 31,127 NetScalers were vulnerable to remote code execution, with 1,828 of them having some kind of backdoor as of August 14. Of the compromised systems, 1,248 have already been patched, but signs of successful exploitation may still be present. It is crucial for administrators to check for signs of compromise, even if they have updated and rebooted their NetScalers. The Mandiant IOC Scanner script can help detect indicators of compromise on these devices and investigate further if web shells are found.
Most of the compromised NetScalers seem to be located in Europe, with Canada, Russia, and the United States having thousands of vulnerable devices in July, but without web shells installed. Mandiant researchers suspect that the recent campaign is consistent with activities by China-linked espionage threat actors, who have previously exploited similar vulnerabilities in Citrix ADC and gateway devices. These actors have been known to target defense industrial bases, governments, technology, and telecommunications organizations to steal user credentials and maintain long-term access to victims’ environments.
In conclusion, businesses and organizations should remain vigilant and conduct thorough checks on their NetScalers for any signs of compromise, even if they have already applied patches. The use of web shells by adversaries highlights the importance of cybersecurity measures and ongoing monitoring to prevent unauthorized access and potential data breaches.
Article Source
https://www.darkreading.com/vulnerabilities-threats/citrix-adc-gateways-still-backdoored-even-after-being-patched