Listen to this article now

Thousands of companies are facing potential threats as hackers actively exploit a Citrix zero-day vulnerability, which has already targeted a critical infrastructure organization in the United States.

Citrix recently raised an alarm regarding the severity of the flaw, known as CVE-2023-3519, with a staggering severity rating of 9.8 out of 10. The vulnerability affects NetScaler ADC and NetScaler Gateway devices, widely used for secure application delivery and VPN connectivity by organizations worldwide, including critical infrastructure sectors.

The zero-day allows unauthorized remote attackers to execute arbitrary code on affected devices, and Citrix has confirmed evidence of real-world exploitation. In response, Citrix promptly released security updates on July 18, urging customers to apply the patches immediately to safeguard their systems.

The situation escalated further when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that the vulnerability had already been exploited against a U.S. critical infrastructure organization in June. The attackers utilized the flaw to deploy a webshell on the organization’s NetScaler ADC appliance, gaining access to and exfiltrating data from the Active Directory, including sensitive information about users, groups, applications, and network devices. Fortunately, the organization’s isolated network configuration prevented the attackers from compromising the domain controller fully.

While this specific organization successfully thwarted the intrusion, numerous other organizations remain at risk. The Shadowserver Foundation, a nonprofit organization dedicated to enhancing internet security, discovered over 15,000 unpatched Citrix servers worldwide, making them susceptible to compromise.

Geographically, the largest number of unpatched servers are located in the United States (5,700), followed by Germany (1,500), the UK (1,000), and Australia (582), as reported by their analysis.

The identity of the hackers behind this exploitation remains unknown. However, Citrix vulnerabilities have historically been exploited by both financially motivated cybercriminals and state-sponsored threat actors, with some groups having links to China.

Researchers at Mandiant conducted an analysis and revealed that the intrusion activity appears consistent with past operations by China-linked threat actors in 2022. While they cannot definitively attribute these intrusions to any known group, they speculate that it might be part of an intelligence-gathering campaign. Espionage-driven threat actors tend to target technologies lacking endpoint detection and response solutions, such as firewalls, IoT devices, hypervisors, and VPNs.

Mandiant’s investigations into numerous intrusions at defense, government, technology, and telecommunications organizations show that suspected China-linked groups have historically exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain persistent access to victim environments.