Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Threat Landscape
Vulnerabilities

Hackers exploiting RCE vulnerability in NetScaler, Gateway devices to implant webshells, CISA warns

July 21, 2023
Hackers exploiting RCE vulnerability in NetScaler, Gateway devices to implant webshells, CISA warns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a cybersecurity advisory (CSA) warning critical infrastructure organizations about hackers exploiting an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway devices. 

“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data,” CISA said in its Thursday advisory. “The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement. The notice added that the victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.”

The security notice provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. “CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix,” it added.

CVE-2023-3519 is an unauthenticated RCE vulnerability affecting NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13; NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13; NetScaler ADC and NetScaler Gateway version 12.1, now end of life; NetScaler ADC 13.1-FIPS before 13.1-37.159; NetScaler ADC 12.1-FIPS before 12.1-65.36; and NetScaler ADC 12.1-NDcPP before 12.65.36, the CISA advisory said. The affected appliance must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.

The Computer Emergency Response Team for the EU institutions, bodies and agencies also issued an advisory recommending installation of the latest updated versions as soon as possible. The advisory outlined that “Citrix Netscaler ADC is a purpose-built networking appliance used to improve the performance, security, and resiliency of applications delivered over the web. Citrix NetScaler Gateway consolidates remote access infrastructure to provide single sign-on across all applications whether in a data center, in a cloud, or if the apps are delivered as SaaS apps. It allows people to access any app, from any device, through a single URL.”

Citrix issued an advisory earlier this week of ‘multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).’

CISA detailed that as part of their initial exploit chain, the hackers uploaded a TGZ file containing a generic webshell, discovery script, and ‘setuid’ binary on the ADC appliance and conducted SMB scanning on the subnet. These hackers also used the webshell for AD enumeration and to exfiltrate AD data.  

The hackers’ other discovery activities were unsuccessful due to the critical infrastructure organization’s deployment of their NetScaler ADC appliance in a segmented environment, CISA disclosed. The actors attempted to execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets; verified outbound network connectivity with a ping command; and executed host commands for a subnet-wide DNS lookup. 

“The actors also attempted to delete their artifacts. The actors deleted the authorization configuration file (/etc/auth[dot]conf)—likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI),” CISA said. “To regain access to the ADC appliance, the organization would normally reboot into single-use mode, which may have deleted artifacts from the device; however, the victim had an SSH key readily available that allowed them into the appliance without rebooting it.” 

The advisory also revealed that the hackers’ post-exploitation lateral movement attempts were also blocked by network-segmentation controls. “The actors implanted a second webshell on the victim that they later removed. This was likely a PHP shell with proxying capability. The actors likely used this to attempt proxying SMB traffic to the DC (the victim observed SMB connections where the actors attempted to use the previously decrypted AD credential to authenticate with the DC from the ADC via a virtual machine). Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity,” it added. 

CISA recommends that organizations install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. The agency also suggests adopting best cybersecurity practices across production and enterprise environments, including mandating phishing-resistant multi-factor authentication (MFA) for all staff and for all services. 

It also pointed organizations to the agency’s cross-sector Cybersecurity Performance Goals (CPGs), developed by CISA and the National Institute of Standards and Technology (NIST), which cover a prioritized subset of IT and operational technology (OT) security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. As a longer-term effort, CISA recommends applying robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.

Last week, the CISA and the Federal Bureau of Investigation (FBI) published another advisory to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments. After reporting the incident to Microsoft, network defenders deemed the activity malicious. Organizations are called upon to enhance organizational cybersecurity posture and enable the detection of similar malicious activity by implementing logging recommendations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights