The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Thursday warning that the newly disclosed critical security flaw in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices is being abused to drop web shells on vulnerable systems.
"In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization's non-production environment NetScaler ADC appliance," the agency said.
"The web shell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement."
The shortcoming in question is CVE-2023-3519 (CVSS score: 9.8), a code injection bug that could result in unauthenticated remote code execution. Citrix, earlier this week, released patches for the issue and warned of active in-the-wild exploitation.
Successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server.
CISA did not disclose the name of the organization that was impacted by the incident. The threat actor or the country allegedly behind it is presently unknown.
In the incident analyzed by CISA, the web shell is said to have enabled the collection of NetScaler configuration files, NetScaler decryption keys, and AD information, after which the data was transmitted as a PNG image file ("medialogininit.png").
The adversary's subsequent attempts to laterally move across the network as well as run commands to identify accessible targets and verify outbound network connectivity were thwarted due to robust network segmentation practices, the agency noted, adding the actors also attempted to delete their artifacts to cover up the tracks.
Vulnerabilities in gateway products such as NetScaler ADC and NetScaler Gateway have become popular targets for threat actors looking to obtain privileged access to targeted networks. This makes it imperative that users move quickly to apply the latest fixes to secure against potential threats.
Update
The Shadowserver Foundation said it has found more than 15,000 Citrix Netscaler ADC and Gateway servers worldwide at risk of potential compromise, making them vulnerable to attacks exploiting the critical remote code execution flaw. The largest number of unpatched appliances are located in the U.S., Germany, the U.K., and Australia.
"The vulnerability is a simple unauthenticated stack overflow," cybersecurity firm Bishop Fox said, noting that exploitation is trivial. "This is made significantly worse by the fact that exploit mitigations do not protect the vulnerable function on some versions."
CISA Discloses New TTPs and IoCs
On September 6, 2023, CISA shared details of additional TTPs and IoCs that it received from an unidentified victim and trusted third-parties, noting that the threat actors dropped a PHP web shell, gained root level access to the compromised system, and performed hands-on discovery against the Active Directory (AD).
“They queried the AD via ldapsearch for users, groups, and computers,” CISA said. “They collected the data in gzipped text files renamed 1.css and 2.css and placed the files in /netscaler/ns_gui/vpn/ for exfiltration. After exfiltrating the files, the actors deleted them from the system as well as some access logs, error logs, and authentication logs.”
