InfoGuard Cyber Security Blog: Netscaler vulnerability exploited by attacker group

InfoGuard CSIRT Warning: Attacker Group Using Netscaler Vulnerability to Steal Credentials

Citrix already issued warnings in July about partly critical security vulnerabilities in Netscaler ADC and Netscaler Gateway. The manufacturer had already witnessed attacks on one of the vulnerabilities at the time. The InfoGuard CSIRT has dealt with numerous security incidents that can be traced back to this vulnerability. In one case, the attackers also deliberately stole access data. Find out what this means for you in this blog post. 

Back on 18 July 2023, a Netscaler vulnerability was disclosed that allowed attackers to execute code remotely without authentication. The critical vulnerability affected both Citrix ADC and Citrix Gateway and was actively abused. The InfoGuard CSIRT has dealt with numerous incidents that can be traced back to this vulnerability – and new cases still continue to arrive months later. The perfidious aspect of this loophole is that it allows malicious code to be executed without prior registration.

The attackers mostly used this loophole to install what are known as webshells, which were then mostly found in the directory /var/netscaler/ and subfolders or /netscaler/ and further subfolders, and had names like server_info.php or levels.php. These webshells were easy to remove and their use was tracked in the logs.

InfoGuard CSIRT warns of cyber attack on legitimate Netscaler portals

An InfoGuard CSIRT investigation determined that the vulnerability has been misused for other purposes by at least one attacker group. This attacker group adds a javascript to the legitimate login page of the Netscaler portal which reads the user names and passwords entered on the login page and sends them to a server. A quick Shodan search in the German-speaking region showed that this script is still implanted on a double-digit number of servers.

nfoGuard Cyber-Sicherheit: Incident Respones Retainer Netscaler

What do I have to do?

Check whether additional javascripts have been included in the index.html page of the Netscaler. These can be found under /netscaler/ns_gui/vpn/index.html. In the cases we checked, the Javascript was loaded from the free code-sharing platform However, it is also conceivable that other sources such as paste platforms or even locally uploaded javascripts are used.

If you identify such a script, take the following steps immediately:

  1. Remove the script line from the source text.
  2. Ensure that all passwords are changed for users who have logged into the affected Netscaler portal in the last few months.
  3. Make sure that all external access points have multifactor authentication enabled.
  4. In case of portals (webmail, Citrix, VPN, etc.) that do not require multifactor authentication, we recommend performing a compromise assessment to ensure that stolen credentials have not already been used to penetrate the network.

InfoGuard is here to help – 24/7

The InfoGuard CSIRT will support you in searching your infrastructure for traces of a cyber attack. Our compromise assessment uncovers breaches across your entire environment – and not just those of the Netscaler loophole described here.

Get in touch!

A cyber attack demands a quick and professional response. Our Incident Response Retainer is the optimal and most effective solution for the worst case. If this occurs, we work with you on the right way to react: quickly, capably and with a whole host of experience – 24/7. You can find out more about our Incident Response Retainer here:

Incident Response Retainer


<< >>

Cyber Security , IT Security , CSIRT

Mathias Fuchs
About the author / Mathias Fuchs

InfoGuard AG - Mathias Fuchs, Vice President Investigation & Intelligence

More articles from Mathias Fuchs

Related articles
Zero Trust: “Zero” Attack Surface and Maximum Security in OT Infrastructures
Zero Trust: “Zero” Attack Surface and Maximum Security in OT Infrastructures

OT security is rapidly gaining in importance as networked industrial facilities offer hackers a lucrative [...]
Malware Cloaking: the Growing Threat of Manipulated Command Lines
Malware Cloaking: the Growing Threat of Manipulated Command Lines

Many detection mechanisms and investigation techniques focus heavily on analysing the command lines of [...]
Cyber Threat Intelligence Insights: Timing of Ransomware Incidents
Cyber Threat Intelligence Insights: Timing of Ransomware Incidents

In the last blog post, we looked at the 53 largest CSIRT cases in 2022. In this post, we will focus [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media