CISA Warns on Citrix ADC Bug Exploited in Wild
Share this:
The U.S.CISA warned of cyber attacks against Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices exploiting recently discovered zero-day CVE-2023-3519.
The CISA states that threat actors targeted a NetScaler ADC appliance deployed in the network of a critical infrastructure organization
The vulnerability, tracked as CVE-2023-3519, is a critical code injection that could result in unauthenticated remote code execution. Citrix warns of the availability of exploits for this vulnerability that have been observed in attacks against unmitigated appliances. Citrix added that successful exploitation requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Citrix strongly urged affected customers to install the relevant updated versions as soon as possible.
CISA did not attribute the attack to a specific threat actor. The attackers exploited the flaw to deploy the webshell that was used to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The threat actors attempted to move laterally to a domain controller, but CISA pointed out that network-segmentation controls for the appliance blocked movement.
The attackers obtained encrypted passwords from NetScaler ADC configuration files, and the decryption key was stored on the ADC appliance. Then threat actors sent data as an image file to a web-accessible path:
cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.
The attackers attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup, but blocked by the network segmentation controls.
Organization that have found indicators of compromise should:
- Quarantine or take offline potentially affected hosts.
- Reimage compromised hosts.
- Provision new account credentials.
- Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
