Chinese hackers reportedly installed a backdoor in Citrix NetScaler systems as early as May. Citrix is accused of sweeping this under the rug.
According to Kevin Beaumont, it’s no coincidence that Citrix systems have been actively targeted by hackers for several months. The security specialist has been actively monitoring the vulnerabilities for months. In a new report, he describes that the backdoor to Citrix NetScaler was already opened by Chinese hackers in May.
The vulnerability in question was in an authentication component. Attackers exploited this entry point to install custom backdoors in the system. The attack shows similarities to campaigns previously attributed to Volt Typhoon, a group associated with cyber espionage. The technical attack chain is complex and aims for long-term access, without signs of ransomware or financial motives.
Guilty as Charged
Beaumont accuses Citrix of deliberately keeping the impact of the vulnerability under the radar. For instance, detection scripts were only shared with customers under non-disclosure agreements. To date, authorities have not published any public guidelines about this. Citrix is also said to have provided limited tools. The backdoor was installed at a time when no patch was available yet.
Beaumont calls for more transparency from Citrix and points out the need for better security of network equipment at the edge of corporate networks. He advocates for better investigation of NetScaler systems for signs of compromise.
Organizations using Citrix NetScaler would do well to proactively scan their systems for these indicators and contact their security partner. Suspicious systems should be thoroughly investigated, even if a patch has been applied previously. The attack leaves traces that a simple update does not remove.
Citrix Bleed 2
Meanwhile, multiple patches are available for compromised Citrix NetScaler products, but for many organizations, the damage has already been done. The vulnerabilities are being actively exploited, and experts are already talking about ‘Citrix Bleed 2’. In 2023, Citrix NetScaler was already massively attacked due to a zero-day vulnerability.
In Europe, thousands of systems are still vulnerable today. Companies that haven’t installed the available patches yet should do so as soon as possible, because the door to your Citrix NetScaler server is wide open.