Back on 18 July 2023, a Netscaler vulnerability was disclosed that allowed attackers to execute code remotely without authentication. The critical vulnerability affected both Citrix ADC and Citrix Gateway and was actively abused. The InfoGuard CSIRT has dealt with numerous incidents that can be traced back to this vulnerability – and new cases still continue to arrive months later. The perfidious aspect of this loophole is that it allows malicious code to be executed without prior registration.
The attackers mostly used this loophole to install what are known as webshells, which were then mostly found in the directory /var/netscaler/ and subfolders or /netscaler/ and further subfolders, and had names like server_info.php or levels.php. These webshells were easy to remove and their use was tracked in the logs.
InfoGuard CSIRT warns of cyber attack on legitimate Netscaler portals
What do I have to do?
If you identify such a script, take the following steps immediately:
- Remove the script line from the source text.
- Ensure that all passwords are changed for users who have logged into the affected Netscaler portal in the last few months.
- Make sure that all external access points have multifactor authentication enabled.
- In case of portals (webmail, Citrix, VPN, etc.) that do not require multifactor authentication, we recommend performing a compromise assessment to ensure that stolen credentials have not already been used to penetrate the network.
InfoGuard is here to help – 24/7
The InfoGuard CSIRT will support you in searching your infrastructure for traces of a cyber attack. Our compromise assessment uncovers breaches across your entire environment – and not just those of the Netscaler loophole described here.
A cyber attack demands a quick and professional response. Our Incident Response Retainer is the optimal and most effective solution for the worst case. If this occurs, we work with you on the right way to react: quickly, capably and with a whole host of experience – 24/7. You can find out more about our Incident Response Retainer here: