New analysis indicates that Chinese-linked hackers were installing backdoors in Citrix Netscaler systems long before the vulnerability was publicly disclosed. Criticism is growing against the vendor, which is accused of being untransparent and minimising the scale of the threat.
Citrix Netscaler systems, a key component of many companies’ network infrastructure, have been targeted by an advanced hacking group since May this year.
According to analysis by security specialist Kevin Beaumont, attackers exploited a previously unknown zero-day vulnerability in the authentication component to gain access to corporate networks and install custom spyware on them.
The modus operandi, focused on long-term, discreet access with no sign of financial activity such as ransomware, strongly suggests a cyber espionage campaign.
These techniques show similarities to those used by the Volt Typhoon group, linked to the Chinese government.
A wave of criticism is falling on Citrix over its response to the incident. Beaumont accuses the manufacturer of deliberately hushing up the issue. Key information, including scripts to detect the intrusion, was to be made available to customers only under confidentiality agreements.
This policy made it difficult for administrators and security professionals to assess the true extent of the risk and take appropriate action. Significantly, backdoors were installed at a time when an official patch was not yet available.
Although Citrix has finally released the relevant updates, for many organisations the damage has already been done. Cyber security experts, referring to a major incident in 2023, are referring to the current situation as ‘Citrix Bleed 2’.
They stress that simply installing a patch does not solve the problem on systems that have already been compromised. Backdoors left by hackers are not removed by a simple update and require in-depth investigation and system clean-up.
Thousands of servers in Europe remain vulnerable to attack.
Companies that have not updated their devices are advised not only to implement patches immediately, but also to proactively scan their infrastructure for signs of intrusion.
