[German]The U.S. cybersecurity agency CISA is warning administrators of Citrix NetScaler ADC installations. Threat actors have begun exploiting the NetScaler ADC vulnerability CVE-2023-3519, disclosed a few days ago, to implant webshells. Administrators should look for signs of compromise. Kompromittierung suchen.
Advertising
Vulnerability in Citrix products
A few days ago, I had issued a warning to administrators of Citrix NetScaler ADC and Citrix Gateway to update their installations to new software versions promptly. This is because the manufacturer warns in a security message about a critical remote code execution vulnerability in the products. Updates for the affected products have been published, which administrators should install on the supported installations without delay. Details can be found in the blog post Critical RCE Vulnerability in Citrix NetScaler ADC and Citrix Gateway.
CISA warning of attacks
The severity of the vulnerability makes us fear bad things, it is only a matter of time before the CVE-2023-3519 vulnerability is attacked. Now the US Cybersecurity and Infrastructur Authority (CISA) has published a specific warning. Carl Staalhood writes about it on Twitter:
Threat Actors Exploiting #Citrix #NetScaler CVE-2023-3519 to Implant Webshells < shell commands to check for signs of compromise
and refers to the CISA warning Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. The reason for CISA's current warning about the exploitation of CVE-2023-3519 is a specific case.
In June 2023, threat actors exploited this zero-day vulnerability to drop a webshell on a critical infrastructure organization's non-production NetScaler ADC appliance. The webshell allowed attackers to explore the victim's Active Directory (AD) and collect and exfiltrate AD data. The attackers attempted to lateral to a domain controller, but the appliance's network segmentation control blocked the movement.
The victim organization recognized the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023. The CISA alert describes tactics, techniques, and procedures (TTPs) and detection methods that the victim shared with CISA. The document can be downloaded also as PDF.
Advertising
CISA recommends that organizations with critical infrastructure use the detection guidance contained in this advisory to determine a system compromise. If a potential compromise is identified, organizations should apply the incident response recommendations contained in this CSA. If no compromise is detected, organizations should immediately apply the patches provided by Citrix.
The folks at Shadowserver have found at least 11170 unique IPs, most of them in the US (4.1K), which point to vulnerable Citrix installations.
Advertising
