The US’s CISA has warned that threat actors used a Citrix/NetScaler vulnerability, CVE-2023-3519, to attack critical infrastructure – but failed in their attempts owing to robust defences and network segmentation.
Others may be less lucky. Detection scripts and IOCs are now available. (The vulnerability
The advisory comes days after Critix reported the alarming pre-auth RCE vulnerability, CVE-2023-3519, which affects NetScaler ADC and NetScaler Gateway (now formally known as Citrix ADC and Citrix Gateway).
The agency has now shared Indicators of Compromise (IoCs) after an initial advisory was shared under a restricted basis as “TLP: Amber” – arguably a controversial move given attacks ongoing in the wild since June.
The attackers used the vulnerability to drop a webshell on the unnamed CNI provider’s non-production NetScaler ADC that “enabled the actors to perform discovery on the victim’s AD and collect and exfiltrate AD data.”
Mercifully, robust architecture and generally solid-sounding defences hampered further exploitation, CISA added, in a write-up that provides some useful detections for those concerned at exploitation of the CVSS 9.8 vulnerability; which requires no authentication to exploit remotely.
The CNI incident, which was reported to Citrix in June, may raise concerns among some customers that a NetScaler zero day was being exploited in the wild in June and reported then to Citrix, but it did not publish any emergency mitigations until the following month when it had a patch ready. (In fairness, understanding the attack chain may also have taken time as security researchers reverse engineering the patch are arguably taking longer than usual to identify the precise exploit used…)
N.b. Your views on this are welcomed. Pop us a line.
Sharing [pdf] Indicators of Compromise (IOCs), CISA said: “The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.”
The attackers used a key stored on the NetScaler ADC to decrypt Active Directory (AD) credentials that they then used to authenticate with the DC from the ADC via a virtual machine; But “firewall and account restrictions (only certain internal accounts could authenticate to the DC [domain controller]) blocked this activity.” CISA said on July 20.
Critical NetScaler vulnerability: Attack chain still opaque
The vulnerability affects the following when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server, Citrix told customers in an advisory on July 18.
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-65.36
- NetScaler ADC 12.1-NDcPP before 12.65.36
CISA said: “As part of their initial exploit chain, the threat actors uploaded a TGZ file containing a generic webshell, discovery script, and setuid binary on the ADC appliance and conducted SMB scanning on the subnet.
The actors used the webshell for AD enumeration and to exfiltrate AD data. Specifically, the actors: Viewed NetScaler configuration files /flash/nsconfig/keys/updated/ and /nsconfig/ns.conf…”
“These configuration files contain an encrypted password that can be decrypted by the key stored on the ADC appliance. [They then] viewed the NetScaler decryption keys (to decrypt the AD credential from the configuration file); used the decrypted AD credential to query the AD via ldapsearch [and] queried for [users, computers, subnets, contacts, etc.].
As The Stack published, security researchers were still exploring the precise exploit chain for the critical NetScaler vulnerability and no public exploit had been shared, but it is likely to follow soon. Assetnote said “we believe that this issue is within the SAML processing components of Citrix ADC and NetScaler Gateway. We appreciate the analysis from Ron Bowes which came to a similar conclusion as us on this issue…”
Admins should patch up promptly and per CISA's guidance, run detections and if compromise is detected, quarantine or take offline potentially affected hosts; reimage compromised hosts; provision new account credentials; collect and review artifacts such as running processes/services, unusual authentications, and recent network connections and if in the US, report the compromise to CISA.