Hackers are targeting US critical infrastructure using this Citrix zero-day

A blue color image of a person trying to log into a protected laptop.
(Image credit: Shutterstock/JARIRIYAWAT)

Hackers have been observed exploiting a zero-day vulnerability in a Citrix product to target at least one critical infrastructure organization in the United States. 

The news, reported by TechCrunch, has since been confirmed by the US Cybersecurity and Infrastructure Security Agency (CISA), as well as several cybersecurity firms.

As per the report, unnamed hackers used a flaw in NetScaler ADC and NetScaler Gateway tracked as CVE-2023-3519. It has a severity rating of 9.8, making it a critical flaw. They used it to run arbitrary code on the devices as unauthenticated users. NetScaler ADC and NetScaler Gateway are enterprise-grade products built for secure application delivery and VPN services.

Citrix zero-day threat

A few days after Citrix released a fix and urged users to apply it immediately as the flaw was being used in the wild, CISA came forward saying it had observed the flaw abused in June, against an unnamed US critical infrastructure organization. 

According to CISA, the attackers used the flaw to deliver a webshell on NetScaler ADC, which allowed them to steal sensitive data from the firm’s Active Directory. The good news is that the appliance was isolated inside the network, preventing the attackers from moving laterally and wreaking even more damage. 

This firm might have walked away with a scratch, but others might get seriously hurt, the publication states, there are reprotedly more than 15,000 Citrix servers worldwide yet to be patched, and as such are vulnerable to this flaw. Most of them are in the United States (5,700), with significant numbers also in Germany (1,500), and the UK (1,000). 

Citrix says it doesn’t know who’s exploited the flaw so far, but suspects both financially-motivated actors and state-sponsored ones. China is being mentioned again. Researchers from Mandiant were on the same vein, saying the activity was “consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADC’s in 2022.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.