Thousands of devices, including those that were later patched, were backdoored by an extensive and active attack campaign that took use of a serious Citrix NetScaler vulnerability, according to researchers. Attackers automated the deployment of web shells on affected devices by exploiting the remote code execution vulnerability, identified as CVE-2023-3519. These were discovered to endure reboots and patches.
At the time of their discovery, about 69% of the backdoored NetScalers were no longer vulnerable to CVE-2023-3519, leading researchers to caution administrators who have already dealt with the Citrix patch not to be fooled into thinking they are safe. NCC Group and Fox-IT, a division of NCC Group, in conjunction with the Dutch Institute of Vulnerability Disclosure (DIVD), made the public aware of the initiative.