Attackers are continuing to target the Citrix NetScaler and ADC Gateway vulnerability that was disclosed earlier this summer, and are employing new techniques and tactics in their operations.
The vulnerability allows unauthenticated remote code execution on target devices, and the details of the bug have been public since July, when Citrix released an update for it. However, attackers had been targeting the vulnerability (CVE-2023-3519) as early as June, and in many cases have been planting webshells on compromised devices to maintain persistence.
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) released information on some newly observed behavior from attackers in recent intrusions. In one case, attackers were able to gain root access to the compromised device and then eventually exfiltrate sensitive information.
“Threat actors uploaded a PHP webshell logouttm.php, likely as part of their initial exploit chain, to /netscaler/ns_gui/vpn/. Within an hour of installing the webshell, the actors implanted an Executable and Linkable Format (ELF) binary pykeygen that set user unique identifier (UID) to root and executed /bin/sh via setuid and execve syscall. A third party also observed threat actors use an ELF binary (named pip4) to execute /bin/sh via syscall and change the UID to root. pip4 was located at /var/python/bin,” the CISA advisory says.
“With root level access, the actors used hands-on-keyboard for discovery. They queried the AD via ldapsearch for users, groups, and computers. They collected the data in gzipped text files renamed 1.css and 2.css and placed the files in /netscaler/ns_gui/vpn/ for exfiltration.”
After the attackers exfiltrated the data, they took care to erase access, error, and authentication logs.
“For command and control (C2), the actors appeared to use compromised pfSense devices; the victim observed communications with two pfSense IP addresses indicating the actor was using them for multi-hop proxying C2 traffic,” the advisory says.
The Citrix patch for this vulnerability has been available for almost two months, and there is public exploit code available, as well. Given the length of time that the bug has been public, any affected device that has not yet been updated should probably be considered compromised.