Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Urgent Action
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert Thursday warning that newly disclosed critical security flaws in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices were abused to drop web shells on vulnerable systems.
“In June 2023, a threat actor exploited this vulnerability as a zero-day to launch a web shell on NetScaler ADC devices in a critical infrastructure organization’s non-production environment,” the agency said. said.
“The web shell allowed the perpetrator to perform discovery on the victim’s Active Directory (AD) and collect and extract AD data. The perpetrator attempted to move laterally to the domain controller but the network segmentation controls for the device blocked the move.”
The flaw in question is CVE-2023-3519 (CVSS score: 9.8), a code injection bug that could result in unauthenticated remote code execution. Citrix, earlier this week, released a patch for this issue and warned about its active exploitation in the wild.
A successful exploit requires that the tool be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication, authorization, and audit (AAA) virtual server.
CISA did not disclose the names of organizations affected by the incident. The perpetrator of the threat or the state thought to be behind it is currently unknown.
In the incident analyzed by CISA, the web shell is said to have activated a collection of NetScaler configuration files, NetScaler decryption keys, and AD information, after which the data was transmitted as a PNG image file (“medialogininit.png”).
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
Subsequent adversary attempts to move laterally across the network as well as execute commands to identify accessible targets and verify outgoing network connectivity were thwarted due to strong network segmentation practices, the agency said, adding the perpetrators also attempted to remove their artifacts to cover their tracks.
Vulnerabilities in gateway products such as NetScaler ADC and NetScaler Gateway have become popular targets for attackers seeking privileged access to targeted networks. This requires users to act quickly to apply hotfixes to protect against potential threats.
