The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to apply patches after Citrix earlier this week disclosed an actively exploited flaw in its Netscaler (formerly Citrix) ADC and Gateway products.
Citrix released fixes for the unauthenticated remote code execution bug (CVE-2023-3519) on July 18, after a critical infrastructure organization identified a compromise stemming from the flaw and reported the activity to CISA and Citrix.
“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance,” according to CISA on Thursday. “The webshell enabled the actors to perform discovery on the victim’s Microsoft Entra ID (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.”
CISA further detailed the threat actor exploitation activity linked to the bug, as well as the actor’s tools and tactics and detection methods for enterprise organizations. As part of the attack, actors uploaded a TGZ file containing a webshell (as well as a discovery script and setuid binary) on the ADC appliance. The webshell was used to enumerate and exfiltrate AD data.
The actors also attempted to execute a subnet-wide curl command to sniff out opportunities for lateral movements, verify outbound network connectivity via a ping command and execute host commands for a subnet-wide DNS lookup. However, these discovery attempts were unsuccessful because the victim organization had deployed the NetScaler ADC appliance in a segmented environment, said CISA.
The attackers also tried to delete their artifacts and delete the authorization configuration file in a likely attempt to prevent admins from logging in remotely; however, CISA said the victim had an SSH key available that allowed them into the appliance without rebooting it, which may have deleted artifacts from the device.
“The actors’ post-exploitation lateral movement attempts were also blocked by network-segmentation controls,” according to CISA. “The actors implanted a second webshell on the victim that they later removed. This was likely a PHP shell with proxying capability. The actors likely used this to attempt proxying SMB traffic to the DC… Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity.”
Impacted product versions include NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13; NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13; NetScaler ADC and NetScaler Gateway version 12.1, now end of life; NetScaler ADC 13.1-FIPS before 13.1-37.159; NetScaler ADC 12.1-FIPS before 12.1-65.36 and NetScaler ADC 12.1-NDcPP before 12.65.36. Of note, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization and auditing (AAA) virtual server for exploitation to occur.
Previously, vulnerabilities have been discovered in Netscaler ADC and Gateway, and in December researchers said that a Chinese threat group, APT5, had leveraged a remote code execution flaw in attacks.
“This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly,” according to Caitlin Condon with Rapid7 in a Tuesday alert. “Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur.”