Over 640 Citrix servers backdoored with web shells in ongoing attacks

Hundreds of Citrix Netscaler ADC and Gateway servers have already been breached and backdoored in a series of attacks targeting a critical remote code execution (RCE) vulnerability tracked as CVE-2023-3519.

The vulnerability was previously exploited as a zero-day to breach the network of a U.S. critical infrastructure organization.

Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, now disclosed that attackers had deployed web shells on at least 640 Citrix servers in these attacks.

"We can say it's fairly standard China Chopper but they do not want to disclose more under the circumstances. I can say the amount they detect is much lower than the amount they believe to be out there, unfortunately," Shadowserver CEO Piotr Kijewski told BleepingComputer.

​"We report on compromised appliances with webshells in your network (640 for 2023-07-30). They are aware of widespread exploitation happening July 20th already," Shadowserver said on their public mailing list.

"If you did not patch by then please assume compromise. They believe the real amount of CVE-2023-3519 related webshells to be much higher than 640."

About two weeks ago, the count of Citrix appliances vulnerable to CVE-2023-3519 attacks stood at around 15,000. However, that number has since dropped to under 10,000, indicating some progress in mitigating the vulnerability.

​Citrix released security updates on July 18th to address the RCE vulnerability, acknowledging that exploits had been observed on vulnerable appliances and urging customers to install the patches without delay.

The vulnerability primarily impacts unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server).

In addition to addressing CVE-2023-3519, Citrix also patched two other high-severity vulnerabilities the same day, CVE-2023-3466 and CVE-2023-3467, which could be exploited for reflected cross-site scripting (XSS) attacks and privilege escalation to root.

In response to ongoing attacks, CISA ordered U.S. federal agencies to secure Citrix servers on their networks by August 9th.

The warning also highlighted that the vulnerability had already been exploited to breach the systems of a U.S. critical infrastructure organization.

"In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's NetScaler ADC appliance," CISA said.

"The webshell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement."

Ransomware gangs, including REvil and DoppelPaymer, have taken advantage of similar Citrix Netscaler ADC and Gateway vulnerabilities to breach corporate networks in past attacks.

This highlights the pressing need for security teams to make patching Citrix servers a top priority on their to-do lists.

Hundreds of Citrix Endpoints Compromised With Webshells

Around 600 global Citrix servers have been compromised by a zero-day exploit enabling webshells to be installed, according to a non-profit tracking the ongoing campaign.

The Shadowserver Foundation tweeted on 2 August that the number of impacted endpoints stood at 581, but the figure is thought to be just the tip of the iceberg.

The biggest number of impacted IPs are based in Germany, followed by France and Switzerland.

As reported by Infosecurity last week, the malicious campaign exploits zero-day vulnerability CVE-2023-3519 to compromise NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway servers.

Subscribe to the Infosecurity Magazine newsletter here. 

The unauthenticated remote code execution vulnerability was patched by Citrix on July 15 and has a CVSS score of 9.8.

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned at the time. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

At the time, Citrix also patched two other vulnerabilities: reflected cross-site scripting bug CVE-2023-3466, and CVE-2023-3467, which enables privilege escalation to root administrator.

The Shadowserver Foundation, which monitors malicious internet activity across the globe, alerted Citrix users to the campaign last week. It warned that over 15,000 NetScaler ADC and NetScaler Gateway servers were at risk of compromise, with the biggest number based in the US, followed by Germany, the UK and Australia.

Read more on Citrix vulnerabilities: Citrix Admins Urged to Act as PoC Exploits Surface

The zero-day was originally exploited to drop webshells onto an unnamed US critical infrastructure organization’s non-production environment, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data,” it continued. “The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement.”

That attack happened back in June 2023.

Editorial image credit: Ken Wolter / Shutterstock.com

What to Know About the Calprotectin Stool Test

A calprotectin stool test may help determine whether you have an inflammatory or noninflammatory bowel condition. The information it provides may also eliminate the need for more invasive tests.

If your doctor has asked you to do a calprotectin stool test, you may be wondering how to provide a demo — and what it will show.

Fecal matter, also known as stool or poop, can provide information about conditions that affect your gastrointestinal tract. These include:

Read on to learn all about the calprotectin stool test, including how it’s done and what it can (and can’t) tell you about your intestinal tract.

The calprotectin stool test is noninvasive.

This test is helpful for detecting and measuring inflammation levels in the intestines. The information it provides may eliminate the need for more invasive tests, like a colonoscopy or sigmoidoscopy.

Calprotectin is a protein manufactured by white blood cells in response to inflammation. When there’s inflammation in the intestines, white blood cells called neutrophils travel to that area of the body and release calprotectin in an effort to fight off disease or infection.

Inflammation in the gastrointestinal tract can be an indication of IBD. IBD is an umbrella term for chronic conditions that cause prolonged inflammation in the digestive tract. Examples of IBD include:

The calprotectin stool test can help your doctor diagnose IBD. It can also be used to monitor the severity of IBD flare-ups after diagnosis.

This test helps distinguish between IBD and IBS. IBS is a noninflammatory bowel condition often with similar symptoms.

High levels of calprotectin in stool may also indicate other conditions like:

IBD symptoms vary based on the location and severity of inflammation in the GI tract. Since ulcerative colitis and Crohn’s disease can flare up and recede over time, your symptoms may be chronic (long lasting) or acute (short term).

Many symptoms of IBD, including those of ulcerative colitis and Crohn’s disease, can also be caused by IBS, certain cancers, or infections.

Some or all of these symptoms may signal the need for a calprotectin stool test:

To take this test, you’ll need to provide a stool sample. The consistency of stool won’t affect the diagnostic ability of the test.

Your doctor may instruct you to eliminate certain substances for days or weeks before the test. These include:

Your doctor will give you a sterile container to collect your sample. It’s very important that the demo you provide not touch any surface other than the container. It’s also important that water and urine aren’t included in your sample. These substances can skew your test results.

The amount of calprotectin in your stool will be measured in a laboratory. Based on the laboratory used, your results may take several days to 1 week.

High levels of calprotectin in stool may signal ulcerative colitis, Crohn’s disease, colorectal cancer, or infection.

Moderate or low levels mean there’s little to no inflammation present in the intestines. This may indicate that your symptoms are caused by a viral infection or IBS.

Calprotectin levels are measured within a reference range of numerical values indicated as μg/g (micrograms per gram). According to the University of Iowa Dept. of Pathology Laboratory Services Handbook, the reference range for the calprotectin stool test is:

The calprotectin stool test is a noninvasive test that helps distinguish between IBD, including ulcerative colitis and Crohn’s disease, and IBS. It may also signal the presence or absence of an infection or colorectal cancer.

The test involves providing a fecal (stool) demo to a laboratory. The laboratory analyzes the stool demo and sends the results to your doctor. Your doctor uses these results to determine whether additional testing is needed.