Connect with us

Business

Hackers Exploiting Critical Citrix NetScaler Zero-day Flaw To Deploy Webshells

Published

on

The Cybersecurity and Infrastructure Security Agency (CISA) recently released a security advisory that indicates that threat actors have been exploiting a Zero-day vulnerability in Citrix ADC (Application Delivery Controller) and NetScaler Gateways.

A vulnerability was discovered that enabled the placement of a webshell on a non-production environment of a critical infrastructure organization. This was reported to CISA and Citrix Systems.

Threat actors exploited an unauthenticated, remote code execution vulnerability to drop these webshells on the environment and also attempted to laterally move to the domain controller. However, it was blocked due to network-segmentation controls.

CVE-2023-3519: Code Injection Vulnerability

This vulnerability can be exploited by a threat actor if the appliance is configured as a Gateway (VPN Virtual Server, RDP proxy etc.,) or Authentication, Authorization and Auditing (AAA) Server. The CVSS Score for this vulnerability is given as 9.8 (Critical).

Citrix systems has released patches for fixing this vulnerability. 

Affected Products

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1, now end of life
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

Technical Analysis

Threat actors uploaded a malicious TGZ file on the ADC appliance, which consisted of setuid binary, generic webshell and discovery script for conducting an SMB scan on the ADC. Furthermore, AD enumeration and data exfiltration were performed with the webshell. Additional activities performed by the threat actors include,

  • Viewing of NetScaler Configuration file (Contains encrypted passwords)
  • Viewing NetScaler Decryption Keys (Used for decrypting extracted passwords from Config file)
  • Conducting LDAP search via decrypted AD credentials and extracted data like Users, Computers, Groups, Subnets, Organisational Units, Contacts, Partitions, and Trusts 
🚨

now sharing info on likely cve-2023-3519 vulnerable citrix adc/gateway instances in our vulnerable http report: https://t.co/qxv0gv6cak

at least 11170 unique ips found, most in the us (4.1k).

make sure to patch: https://t.co/ehskf4kldt

dashboard stats: https://t.co/zbdpcddaof pic.twitter.com/bjs1e32dix— Shadowserver (@Shadowserver) July 20, 2023

Other queries by the threat actors were unsuccessful as the organization implemented a segmented environment for the ADC appliance. The exfiltration queries that failed are as follows

  • Execution of subnet-wide curl command for scanning internal network as well as checking for potential lateral movement targets
  • Outbound network connectivity with a ping command to google.com
  • Subnet-wide host commands for DNS lookup 

Nevertheless, the threat actors also deleted the authorization config file /etc/auth.conf to prevent privileged users from logging in remotely. If an attempt by the organization was made to regain access to the server by rebooting into single user mode, it would delete the threat actors’ artifacts.

CISA has released a complete report about the MITRE ATT&CK framework, detection methods, mitigation and prevention steps. It is recommended for organizations to follow them and mitigate these kinds of breaches by threat actors.

Source: https://cybersecuritynews.com/citrix-netscaler-hackers-webshells/

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO