Incident response in Citrix environments involves identifying, containing, and recovering from intrusions where Citrix ADC (Application Delivery Controller)/Netscaler was the initial access vector. Ransomware groups including LockBit, Akira, and BlackBasta actively exploit critical Citrix CVEs. Effective response requires forensic triage of the Citrix host, threat actor profiling, and rapid isolation of the compromised device from Active Directory.
What Is Incident Response in Citrix Environments?
At the time of writing, over 60,000 Citrix instances are indexed on Shodan - more than 10,000 of them in the UK (Shodan query, August 2024) - and our team is actively responding to ransomware incidents where Citrix ADC (Application Delivery Controller)/Netscaler was the initial access vector. In this post, we examine the threat actors that target Citrix and the vulnerabilities that allow these threats to escalate from initial access into full-scale ransomware events that we see destroying organisations on a weekly basis.
Our CREST-Accredited SOC (Security Operations Centre) Lead and team have over 10,000 hours of experience responding to security incidents, with a large chunk of that time spent responding to ransomware incidents where exploitation of Citrix - namely ADC/Netscaler - was the initial access vector. We'll share stats on the key vulnerabilities impacting Citrix, strategies to protect Citrix and share key commands, scripts and tools to keep in your IT team's arsenal should an incident occur.
Which Citrix Vulnerabilities Are Actively Exploited in Ransomware Campaigns?
When our Incident Response team "land" on an incident to perform scoping, they gather a plethora of information about the organisation, sometimes from multiple stakeholders. Utilising this information, plausible scenarios can be hypothesised, producing an initial investigation path. Two of the key categories they scope is remote access and virtualisation technologies. When Citrix arises as an answer to either of these categories, it tends to be the vector that allowed the initial access to occur.
This is because multiple ransomware groups have targeted Citrix over the last 24 months, exploiting critical vulnerabilities that allow them to gain remote access, high privileges and code execution. This risk, coupled with Citrix being closely linked to the organisation's Active Directory domain and enterprise network, is a recipe for ransomware to thrive.
Understanding CISA KEV and EPSS
To assess the scope of the problem, there are two key terms we must first understand: CISA Known Exploited Vulnerabilities (CISA KEV) and Exploit Predictability Scoring System (EPSS). KEV is a project maintained by CISA to track vulnerabilities that are known to be exploited in attacks, ransomware included. In light of CVSS (Common Vulnerability Scoring System) being heavily relied on for patching, the industry learned that some critical CVSS vulnerabilities were not worth patching, due to the fact they weren't being exploited - enter EPSS to solve that problem. EPSS is a project primarily maintained by FIRST.org, of which some of our Precursor staff are liaison members of, continuing their contribution to important projects such as EPSS. EPSS is used to predict the exploitation likelihood of a vulnerability, highlighting that even vulnerabilities with a low CVSS score can cause impact.
Utilising CISA KEV and EPSS, we were able to:
- Find all vulnerabilities relating to Citrix that have been known to be exploited in ransomware campaigns.
- Calculate the predicted exploitability score of those vulnerabilities, to help with patching prioritisation.
Critical CVEs with Ransomware Associations
Out of the 16 vulnerabilities in the KEV database for Citrix (source: CISA Known Exploited Vulnerabilities Catalogue, accessed August 2024), 5 of these are known to be exploited to further a ransomware-based objective. We then also added their CVSS score and EPSS rating:
_EPSS scores expressed as a percentage likelihood of observing exploitation activity in the next 30 days. EPSS scores as of August 2024 - check FIRST.org EPSS for current values._
| CVE ID | Common Name | CVSS Base Score | CVSS Severity | EPSS Score | Exploit Type |
|---|---|---|---|---|---|
| CVE-2023-3519 | - | 9.8 | Critical | 96% | Remote Code Execution |
| CVE-2023-4966 | Citrix Bleed | 9.4 | Critical | 97% | Session Token Disclosure |
| CVE-2019-13608 | - | 7.5 | High | 0.6% | Information Disclosure |
| CVE-2019-19781 | - | 9.8 | Critical | 96% | Remote Code Execution |
| CVE-2019-11634 | - | 9.8 | Critical | 24% | Remote Code Execution |
As you can see, at least 3 of those vulnerabilities still have an almost certain level of likelihood for any vulnerable organisations to see exploitation within the next 30 days. We must highlight that this is being written in August 2024 - for one of those vulnerabilities, that is almost 5 years on from when it was assigned.
It is worth noting that CVE-2023-3519 was exploited as a zero-day before Citrix publicly disclosed it - CISA confirmed active exploitation from at least 20 June 2023, a full month before the advisory was published on 18 July 2023 (CISA Advisory AA23-204A). Successful exploitation drops a web shell disguised as a legitimate JavaScript file, meaning compromised hosts can be difficult to identify through casual inspection alone.
Which Threat Actors Target Citrix Environments?
During an incident response engagement, one of the next key stages following scoping of the client environment and incident is to perform threat intelligence and build a threat-informed profile of what - and who - is operating in the environment. Doing so allows us to establish a potential pattern of life, motive, tools used and potential indicators of compromise to look for and contain.
Precursor's curated threat intelligence platform offers up the following related threat actors, known for exploiting Citrix:
- LockBit
- Akira
- NoEscape
- BlackBasta
All of which our team have had experience responding to incidents caused by these groups. LockBit in particular were well known for orchestrating an incident against the UK's Royal Mail service - a campaign in which LockBit 3.0 affiliates demanded a ransom of approximately £65.7 million and disrupted international parcel services for around six weeks - while BlackBasta were known for their encryption techniques, including their speed and volume of exfiltration, with CISA Advisory AA24-131A noting that Black Basta affiliates had targeted over 500 private industry and critical infrastructure entities in North America, Europe, and Australia since April 2022.
Incident Case Study: Ransomware Deployment via CVE-2023-3519
_Based on a composite of Precursor IR engagements._
A LockBit affiliate gained initial access to a UK professional services organisation via CVE-2023-3519 - an unauthenticated remote code execution vulnerability in Citrix NetScaler ADC that had been publicly disclosed 48 hours prior and was not yet patched on the victim's internet-facing appliance.
Within six hours of initial exploitation, the threat actor had deployed a web shell on the Citrix host and established persistence. Using the Citrix gateway's privileged network position, they performed LDAP enumeration against the connected Active Directory domain, identified domain administrator accounts, and moved laterally within 12 hours of initial access. By the time the organisation detected anomalous behaviour - triggered by unusual authentication events - the threat actor had encrypted approximately 60% of the estate across 48 hours and exfiltrated an estimated several terabytes of data to an external staging server.
Precursor's response focused on immediate isolation of the Citrix host from the internal network, preservation of volatile artefacts from the compromised appliance, and forensic reconstruction of the attacker's lateral movement path from the NetScaler gateway into Active Directory. Recovery - including re-establishing clean domain controllers, rotating all credentials, and validating that no backdoors remained - took approximately three weeks. The organisation had no IR (Incident Response) retainer in place at the time of the incident; establishing one pre-incident would have reduced initial triage time by an estimated 12-24 hours.
How Do You Check If Your Citrix Has Been Compromised?
We realise that in a pressurised scenario, appointing an IR team or engaging with insurance can be challenging and sometimes time-consuming during an already resource-draining scenario. Below, we have provided some key commands you can run on Citrix hosts, along with references to tools that already exist to respond to such an incident, so that you can scope key answers whilst waiting for expert assistance.
Note for practitioners: These commands are intended as a starting point for qualified IR practitioners and should be used alongside formal forensic tooling. Results will vary depending on the nature of the vulnerability exploited; always engage an expert IR team before drawing conclusions from command output alone.
Find .php files in unexpected locations with suspicious permissions set
find /var/netscaler/logon/ /var/vpn/ /var/netscaler/ns_gui//netscaler/portal/templates /var/tmp/netscaler/portal/templates/netscaler/portal/scripts /vpn/themes /tmp -type f -name "*.php" \(-perm 0777 -o -perm 0666 -o -perm 0600 -o -perm 0700 \) -exec ls -l {} +_Why this works:_ Ransomware actors exploiting CVE-2023-3519 frequently drop web shells into Citrix-specific directories that are accessible via the web-facing interface. PHP files with broad permissions (0777, 0666) in these paths are rarely legitimate - their presence is a strong indicator that a web shell was written to disk. Identifying them before making any changes to the host preserves the artefact for forensic analysis.
Check your bash history file for commands typically executed by ransomware actors on Citrix hosts
grep -E "whoami\$|cat/flash/nsconfig/keys|ldapsearch|chmod \+x /tmp|openssl des3|ping -c 1|cp/bin/sh|chmod \+s /var|echo \<?php" /var/log/bash.log /var/log/notice.log /var/log/sh.log_Why this works:_ This command scans Citrix shell logs for commands that threat actors consistently execute during post-exploitation: identity checks (whoami), credential harvesting (cat/flash/nsconfig/keys), Active Directory enumeration (ldapsearch), and web shell deployment (echo \). Matching output indicates interactive attacker activity on the host and helps establish a timeline for the initial access event.
Check for processes running under the context of 'nobody'
ps auxw | grep ^nobody | grep -v /bin/httpd | grep -v grep | grep -v "/tests/")_Why this works:_ The nobody user account is the process context under which web requests are handled on Citrix ADC. Legitimate processes running as nobody are limited to the web server (/bin/httpd). Any additional processes - particularly shells or network utilities - running as nobody indicate that a web shell has received an inbound request and spawned a child process, which is the mechanism by which unauthenticated RCE vulnerabilities like CVE-2023-3519 are weaponised in practice.
Other tools
Google Threat Intelligence (formerly Mandiant) have shared a tool that scans Citrix hosts for specific indicators of compromise pertaining to CVE-2023-3519: mandiant/citrix-ioc-scanner-cve-2023-3519. Run this tool in read-only mode and preserve the output before making any changes to the host - the output is a key artefact for your IR team.
What Should You Do Next If Citrix Was Your Initial Access Vector?
When responding to complex incidents involving exploitation of remote access and virtualisation infrastructure, early indicators should always be treated as the tip of the iceberg. As already detailed, exploitation of these vulnerabilities typically leads to widescale domain compromise where recovery can be lengthy and costly - Sophos' State of Ransomware 2024 report found the mean recovery cost from a ransomware incident reached $2.73 million excluding the ransom payment itself, and only 20% of critical infrastructure organisations recovered within a week. If Citrix was your initial access vector, take these steps immediately:
- Isolate the Citrix host from Active Directory immediately - do not allow further authentication to proceed through the compromised gateway.
- Run the three triage commands above and preserve output to a tamper-evident log file before making any changes to the host.
- Cross-reference your Citrix version against the CVE table in this post - if unpatched against CVE-2023-3519 or CVE-2023-4966 (Citrix Bleed), assume full session token compromise and treat all authenticated sessions originating from that gateway as potentially attacker-controlled.
- Engage a CREST-accredited IR team within four hours of initial discovery - domain-wide compromise is the typical outcome within 24-48 hours of initial Citrix access.
- Run the Mandiant citrix-ioc-scanner-cve-2023-3519 tool in read-only mode and share output with your IR team before remediation begins.
Precursor Security offers several services to help bolster your organisation against the threats targeting Citrix environments, including an IR retainer that gives your team guaranteed response times and pre-agreed escalation paths - so that when an incident occurs, the clock starts in minutes, not hours.
Frequently Asked Questions
What is the most common initial access vector in Citrix-related ransomware incidents?
The most common initial access vector is exploitation of critical vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway - particularly CVE-2023-3519 (unauthenticated remote code execution, CVSS 9.8) and CVE-2023-4966 known as Citrix Bleed (session token disclosure, CVSS 9.4). Both have EPSS scores above 96%, meaning vulnerable organisations face a near-certain probability of exploitation attempts within any 30-day window.
Which ransomware groups are known to exploit Citrix vulnerabilities?
LockBit, Akira, NoEscape, and BlackBasta are the four groups most commonly observed exploiting Citrix vulnerabilities in ransomware campaigns. LockBit affiliates were responsible for the attack on the UK's Royal Mail service demanding a £65.7 million ransom; BlackBasta has targeted over 500 critical infrastructure organisations since April 2022 per CISA Advisory AA24-131A.
How quickly can an attacker move from Citrix exploitation to full domain compromise?
Based on Precursor's incident response engagements, a skilled threat actor can move from initial Citrix exploitation to Active Directory domain administrator access within 6-12 hours. Full ransomware deployment across a significant portion of the estate can follow within 24-48 hours of initial access. This timeline makes immediate isolation of the Citrix host a critical first response action.
What should I do if I find a PHP file in unexpected Citrix directories?
Treat it as an active incident. Do not delete the file - preserve it as forensic evidence by copying it to a write-protected location first. Immediately isolate the Citrix host from your internal network to prevent further lateral movement, then engage a CREST-accredited IR team. Run the bash history and process checks described in this post and preserve all output before making further changes to the host.
How do CISA KEV and EPSS help with Citrix patching prioritisation?
CISA's Known Exploited Vulnerabilities catalogue confirms which Citrix CVEs are actively exploited in real-world attacks - these should be treated as urgent regardless of their CVSS score. EPSS adds a probability dimension: it predicts the likelihood of seeing exploitation attempts against a specific vulnerability in the next 30 days. Together, KEV confirms past exploitation while EPSS predicts near-term risk - making both essential tools for a CISO prioritising Citrix patching in a constrained maintenance window.