The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has issued a warning that threat actors attempted to target critical infrastructure using a Citrix/NetScaler vulnerability known as CVE-2023-3519. However, these threat actors were unsuccessful in their endeavors due to strong defenses and network segmentation.
Some people are not as fortunate as others. Now that they have been developed, detection scripts and IOCs are accessible. (The precarious position
The warning was released a few days after Critix disclosed an alarming pre-auth RCE vulnerability known as CVE-2023-3519. This vulnerability affects NetScaler ADC and NetScaler Gateway, which are now more officially known as Citrix ADC and Citrix Gateway respectively.
The agency has now disclosed Indicators of Compromise (IoCs) after an earlier advice was issued on a limited basis as “TLP: Amber” — a move that might be considered problematic considering that attacks have been occurring in the wild since June.
The hackers took use of the vulnerability to install a webshell on a non-production instance of a NetScaler ADC belonging to an undisclosed CNI provider. This “enabled the actors to perform discovery on the victim’s AD and collect and exfiltrate AD data.”
CISA stated that, thankfully, sturdy architecture and generally effective defenses impeded further exploitation in a write-up that gives some valuable detections for individuals who are worried about exploitation of the CVSS 9.8 vulnerability, which can be exploited remotely without the need for authentication.
Citrix issued a warning to its customers on July 18 explaining that the vulnerability affects the following when setup as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), as well as when used in conjunction with a AAA virtual server.
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-65.36
- NetScaler ADC 12.1-NDcPP before 12.65.36
CISA said that as part of their first attack chain, the threat actors did SMB scanning on the subnet while uploading a TGZ file onto the ADC appliance that included a generic webshell, discovery script, and setuid malware.
According to CISA’s recommendations, administrators should apply patches as soon as possible, run detections, and if a compromise is found, quarantine or take offline potentially affected hosts; reimage compromised hosts; provide new account credentials; collect and review artifacts such as active processes/services, unusual authentications, and recent network connections; and, if in the US, report the compromise to CISA.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.