DIVD-2023-00033 - Citrix systems exploited with CVE-2023-3519
| Our reference | DIVD-2023-00033 |
| Case lead | Lennaert Oudshoorn |
| Author | Max van der Horst |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update your system to the latest patched version |
| Patch status | Fully patched |
| Status | Closed |
| Last modified | 26 Sep 2023 10:10 CEST |
Summary
The DIVD CSIRT and Fox-IT (part of NCC Group) have scanned the Internet for Citrix servers that are highly likely to have been backdoored with a webshell. This scan was performed to find webshells that were discovered in a recent campaign believed to be related to the remote code execution vulnerability CVE-2023-3519. DIVD is now sending out notifications to the owners of networks it believes with high confidence to contain compromised Citrix appliances.
Recommendations
The appliance may have already been updated to a version that is no longer susceptible to the recent remote code execution vulnerability. However, exploitation (leading to the placement of a webshell) may have occurred while the appliance was still vulnerable. The webshell is located in a directory that persists between reboots, and also after most updates. Therefore, updating the appliance will not mitigate this compromise.
DIVD and Fox-IT advice to perform the following actions to identify and mitigate a additional threat:
- Secure forensic data; It is strongly recommended to make a forensic copy of both the disk and the memory of the appliance before any remediation or investigative actions are done. If the Citrix appliance is installed on a hypervisor, a snapshot can be made for follow-up investigation at a later time
- Investigate the Netscaler; Investigate whether the webshell has been used to perform activities. Usage of the webshell should be visible in the Netscaler access logs.
- Investigate for lateral movement; If there are indications that the webshell has been used to perform unauthorized activities, it is essential to perform a larger investigation, to identify whether the adversary has successfully taken steps to move laterally from the Netscaler, towards another system in your infrastructure.
From the internet scan, it cannot be determined if the webshell has actually been used for further malicious activity on the identified appliance(s). As of yet, it appears that exploitation has been done at a large scale, likely in an automated fashion.
There are several resources available that document the in-the-wild exploitation of Citrix appliances where forensic artifacts can be found:
- https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/
- https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a
- https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
If you are unsure on how to proceed, it is recommended to consult a cyber security incident response team.
What we are doing
Fox-IT (part of NCC Group) has shared data of vulnerable systems. DIVD will notify owners of vulnerable systems.
Timeline
| Date | Description |
|---|---|
| 18 Jul 2023 | Citrix releases a security bulletin for CVE-2023-3519, CVE-2023-3467 and CVE-2023-3466 |
| 19 Jul 2023 | DIVD Case 2023-00030 started |
| 10 Aug 2023 | DIVD starts notifying owners of exploited systems |
| 11 Aug 2023 | DIVD starts cooperation with various Government CERTs. |
| 15 Aug 2023 | Fox-IT publishes blog post on found webshells. |
| 16 Aug 2023 | DIVD starts collaboration with Shadowserver on data sharing. |
| 26 Sep 2023 | DIVD decides to close case after monitoring. |
More information
- Fox-IT blog on Citrix webshells
- ShadowServer blog on Citrix incidents
- Mandiant blog on Citrix exploitation
- Cisa advisory on Citrix exploitation
- Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467