The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding an alarming vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices. This security flaw, which could lead to severe exploitation, enables threat actors to deploy web shells on affected systems.
CISA disclosed that in June 2023, attackers leveraged this vulnerability, identified as CVE-2023-3519, to establish unauthorized access within a critical infrastructure organization’s non-production net environment. The capability to infiltrate through this vulnerability was deemed a zero-day exploit at the time.
The compromised web shell provided the attackers with sufficient leverage to conduct reconnaissance on the victim’s Active Directory (AD) and to collect sensitive AD data. Efforts to move laterally toward a domain controller were obstructed by effective network segmentation controls implemented on the appliance.
This vulnerability, with a critical CVSS score of 9.8, involves a code injection flaw allowing unauthenticated remote code execution. To successfully exploit this weakness, the NetScaler appliance in question must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication, authorization, and auditing (AAA) virtual server.
Notably, CISA refrained from disclosing the identity of the affected organization, nor has it identified the nationality of the attackers involved. In the incident analyzed, it was reported that the attackers utilized the web shell to extract configuration files, decryption keys, and AD data. This information was then concealed within a PNG file named “medialogininit.png” for exfiltration purposes.
The agency noted that subsequent attempts by the adversaries to navigate through the network and execute commands for further exploration were effectively mitigated due to the organization’s strong network segmentation. Additionally, the threat actors engaged in deletion of their artifacts to avoid detection.
The ongoing exploitation of vulnerabilities within gateway products, such as Citrix NetScaler ADC and Gateway, has increasingly drawn the attention of malicious actors seeking privileged access to targeted networks. Consequently, it is crucial for users to promptly apply security patches to mitigate these dangers.
Recent findings by the Shadowserver Foundation indicate that over 15,000 Citrix Netscaler ADC and Gateway servers globally are at risk of compromise due to this critical security flaw. The areas identified with the highest number of unpatched devices include the United States, Germany, the United Kingdom, and Australia. Cybersecurity experts have described the vulnerability as a straightforward unauthenticated stack overflow, underscoring the ease of potential exploitation and the inadequacy of existing mitigations on certain older versions.
In a related update, CISA reported on additional tactics, techniques, and procedures (TTPs) linked to the attack, stating that the threat actors deployed a PHP web shell to gain root access to the compromised system. It was further noted that they executed discovery actions against the AD, querying details of users, groups, and computers, storing the information in gzipped text files named 1.css and 2.css before attempting to exfiltrate and subsequently delete them along with other logs.
