US-CERT- Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

[Netwörkheäd]

Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

[html]

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.

This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.

Download the PDF version of this report:

   

    https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf" class="c-file__link" target="_blank">AA23-201A Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
    (PDF,       469.66 KB
  )
 

TECHNICAL DETAILS

Note: This advisory uses the https://attack.mitre.org/versions/v13/matrices/enterprise/" title="MITRE ATT&CK for Enterprise">MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors' activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK's https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping and CISA's https://github.com/cisagov/Decider/" title="Decider Tool">Decider Tool.

Overview

In July 2023, a critical infrastructure organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. Citrix confirmed that the actors exploited a zero-day vulnerability: CVE-2023-3519. Citrix released a patch on July 18, 2023.[https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467" title="Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467">1]

CVE-2023-3519

CVE-2023-3519 is an unauthenticated RCE vulnerability affecting the following versions of NetScaler ADC and NetScaler Gateway:[https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467" title="Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467">1]

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13


• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13


• NetScaler ADC and NetScaler Gateway version 12.1, now end of life


• NetScaler ADC 13.1-FIPS before 13.1-37.159


• NetScaler ADC 12.1-FIPS before 12.1-65.36


• NetScaler ADC 12.1-NDcPP before 12.65.36

The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.[https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467" title="Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467">1]

CISA added CVE-2023-3519 to its https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities Catalog on July 19, 2023.

Threat Actor Activity

As part of their initial exploit chain [https://attack.mitre.org/versions/v13/techniques/T1190/" title="Exploit Public-Facing Application">T1190], the threat actors uploaded a TGZ file [https://attack.mitre.org/versions/v13/techniques/T1105/" title="Ingress Tool Transfer">T1105] containing a generic webshell [https://attack.mitre.org/versions/v13/techniques/T1505/003/" title="Server Software Component: Web Shell">T1505.003], discovery script [https://attack.mitre.org/versions/v13/tactics/TA0007/" title="Discovery">TA0007], and setuid binary [https://attack.mitre.org/versions/v13/techniques/T1548/001" title="Abuse Elevation Control Mechanism: Setuid and Setgid">T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [https://attack.mitre.org/versions/v13/techniques/T1046/" title="Network Service Discovery">T1046].

The actors used the webshell for AD enumeration [https://attack.mitre.org/versions/v13/techniques/T1016" title="System Network Configuration Discovery">T1016] and to exfiltrate AD data [https://attack.mitre.org/versions/v13/tactics/TA0010/" title="Exfiltration ">TA0010]. Specifically, the actors:

• Viewed NetScaler configuration files /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf