Hackers exploit Citrix zero-day to target US critical infrastructure

/in


Thousands of companies could be at risk from an actively exploited Citrix zero-day that hackers have already abused to target at least one critical infrastructure organization in the United States.

Citrix last week sounded the alarm about the critical-rated flaw, tracked as CVE-2023-3519 with a severity rating of 9.8 out of 10, which impacts NetScaler ADC and NetScaler Gateway devices. These enterprise-facing products are designed for secure application delivery and providing VPN connectivity, and are used extensively worldwide, particularly within critical infrastructure organizations.

Citrix warned that the zero-day could allow an unauthenticated, remote attacker to run arbitrary code on a device and said it has evidence that the vulnerability was exploited in the wild. Citrix released security updates to the vulnerability on July 18 and is urging customers to install the patches as soon as possible.

Days after Citrix’s warning, U.S. cybersecurity agency CISA revealed that the vulnerability had been exploited against a U.S. critical infrastructure organization in June, and was reported to the agency earlier in July.

CISA said that hackers exploited the flaw to drop a webshell on the organization’s NetScaler ADC appliance, enabling them to collect and exfiltrate data from the organization’s Active Directory, including information about users, groups, applications and devices on the network. But because the targeted appliance was isolated within the organization’s network, the hackers were unable to move laterally and compromise the domain controller.

While this organization successfully managed to ward off the hackers targeting its systems, thousands of other organizations could be at risk. The Shadowserver Foundation, a nonprofit organization that works to make the internet more secure, said it has found more than 15,000 Citrix servers worldwide at risk of compromise unless patches are applied.

The largest number of unpatched servers are based in the U.S. (5,700), followed by Germany (1,500), the U.K. (1,000) and Australia (582), according to their analysis.

It’s not yet known who is behind the exploitation of this vulnerability, but Citrix…

Source…