US-CERT- Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

[Netwörkheäd]

Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

[html]

SUMMARY

Update September 6, 2023:

This Cybersecurity Advisory has been updated with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties.

Update End

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.

This advisory provides TTPs and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.

Download the PDF version of this report:

   

    https://www.cisa.gov/sites/default/files/2023-09/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf" class="c-file__link" target="_blank">AA23-201A Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
    (PDF,       565.45 KB
  )
 

Update September 6, 2023:

In August 2023, CISA received TTPs and IOCs from an additional victim and trusted third parties. This CSA has been updated with the TTPs and IOCs to assist administrators with detecting and responding to this activity.

For a downloadable list of IOCs, see the following XML and JSON files:

   

    https://www.cisa.gov/sites/default/files/2023-09/AA23-201A.stix_.xml" class="c-file__link" target="_blank">AA23-201A STIX XML
    (XML,       43.13 KB
  )
 

   

    https://www.cisa.gov/sites/default/files/2023-09/AA23-201A%20Threat%20Actors%20Exploiting%20Citrix%20CVE%202023-3519%20to%20Implant%20Webshells%20-%20Update.stix_.json" class="c-file__link" target="_blank">AA23-201A STIX JSON
    (JSON,       40.09 KB
  )
 

Update End