Analytics Story: Citrix Netscaler ADC CVE-2023-3519
Description
The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.
Why it matters
Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls.
The compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures.
The threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls.
Advisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices.
Detections
Name | Technique | Type |
---|---|---|
Citrix ADC Exploitation CVE-2023-3519 | Exploit Public-Facing Application | Hunting |
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
Palo Alto Network Threat | Network | pan:threat |
pan:threat |
References
- https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519
- https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf
- https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
Source: GitHub | Version: 1