A zero-day vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway appears to be being exploited by an unspecified advanced persistent threat (APT) actor backed by the Chinese government and should be patched immediately.
Per Citrix’s initial advisory released on Tuesday 18 July, the three vulnerabilities patched by Citrix affect multiple versions of the NetScaler ADC (previously Citrix ADC) and NetScaler Gateway (previously Citrix Gateway) lines.
They are tracked as CVE-2023-3466, a reflected cross-site scripting flaw; CVE-2023-3467, a privilege escalation vulnerability; and CVE-2023-3519, an unauthenticated remote code execution (RCE) bug.
Of these, the issue of concern is the RCE vulnerability, CVE-2023-3519, which carries a CVSS score of 9.8, and it is this bug that was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) list on 20 July.
The addition of a vulnerability to the KEV list mandates that US government bodies must address it by a set date. It carries no weight beyond this, but inclusion on this list is a sure sign that attention should be paid by all organisations.
According to the CISA, the threat actor exploited CVE-2023-3519 to drop a webshell on a non-production environment NetScaler ADC appliance owned by an operator of critical national infrastructure (CNI).
The RCE vulnerability, CVE-2023-3519, carries a CVSS score of 9.8 and was added to the US CISA’s Known Exploited Vulnerabilities list on 20 July. Inclusion on this list is a sure sign that attention should be paid by all organisations
Using this webshell, the actor then attempted to perform discovery actions on the victim’s active directory (AD) and exfiltrate data from it. They then tried to move laterally to a domain controller, but were thwarted in this instance when the appliance’s network-segmentation controls kicked in.
In this instance, the victim organisation was able to swiftly identify the compromise and duly reported the incident to both CISA and Citrix.
Assessing the impact of CVE-2023-3519, researchers at Mandiant, which played a key role in the initial investigation, said that because ADC devices are predominantly used in the IT sector and form a vital component of enterprise cloud datacentres, when it comes to ensuring the optimal delivery of enterprise applications, they present a tempting target.
However, wrote the analyst team, comprising James Nugent, Foti Castelan, Doug Bienstock, Justin Moore and Josh Murchie, Chinese threat actors often target devices that sit at the edge of the network because they can be harder to monitor, and very often don’t support intrusion detection solutions.
“Mandiant cannot attribute this activity based on the evidence collected thus far,” the team wrote. “However, this type of activity is consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADCs in 2022.
“The evolution of the China-nexus cyber threat landscape has evolved to such an extent that its ecosystem mirrors more closely that of financial crime clusters, with connections and code overlap not necessarily offering the comprehensive picture.”
Beyond applying the patch, Mandiant is additionally recommending that if any affected appliances are found to have been exploited, they should be rebuilt immediately. This upgrade process will overwrite some, but not all, of the directories where threat actors may drop webshells.
Security teams may also wish to re-evaluate whether or not their ADC or Gateway appliances’ management ports need unrestricted internet access, and limit access to only necessary IP addresses, which would make post-exploitation activities harder going forward.
Based on some of the other tactics, techniques and procedures (TTPs) outlined in Mandiant’s write-up, the research team is also recommending that affected organisations rotate all secrets stored in the configuration file, and any private keys or certificates useable for transport layer security (TLS) connections.
They may also wish to harden susceptible accounts in the domain to protect against credential exposure and limit a threat actor’s ability to obtain credentials for lateral movement.