Several cyber criminals recently targeted Citrix NetScaler ADC and Gateway Servers through a vulnerability identified as CVE-2023-3519, which holds a high CVSS score of 9.8. The flaw allowed for remote code injection, potentially leading to unauthorized access.
The breach was discovered by the diligent efforts of the Shadowserver Foundation, a non-profit organization renowned for its expertise in gathering and analyzing data related to malicious online activities. They have been providing daily network reports to their subscribers, including government and law enforcement agencies.
Citrix is actively investigating the incident, and at this stage, the extent of the impact on affected servers remains unclear. The company has committed to revealing more details about the breach in the coming weekend.
Security analysts from the Shadowserver Foundation have noticed that a significant number of targeted IP addresses are located in countries such as France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. They estimate that around 15,000 accounts could be at risk.
It is interesting to note that the vulnerability was previously disclosed by US-CERT in the early weeks of July, and Citrix took measures to address the issue. However, it seems that not all users were prompt in applying the fix, leaving them vulnerable to exploitation, particularly in the western region.
As of now, Citrix has not attributed the attack to any specific threat actor. However, there are speculations that the breach could be the work of a state-funded hacker, given the scale and sophistication of the attack. According to unofficial estimates, approximately 640 Citrix servers have been compromised with web shells.
The situation is being closely monitored, and it is essential for Citrix users to update their systems promptly with the provided patches to safeguard against potential threats. Further information will likely be released after the completion of Citrix’s investigation.