The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Thursday, cautioning that the newly revealed critical security vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices is being manipulated to implant web shells on susceptible systems.
“In June 2023, malicious actors exploited this vulnerability as a zero-day to install a web shell on a critical infrastructure entity’s non-production environment NetScaler ADC appliance,” the agency disclosed.
“The web shell allowed the actors to carry out discovery on the victim’s active directory (AD) and gather and extract AD data. The actors tried to traverse laterally to a domain controller but the appliance’s network segmentation controls thwarted movement.”
The weakness under scrutiny is CVE-2023-3519 (CVSS score: 9.8), a code injection bug that could lead to unauthenticated remote code execution. Earlier this week, Citrix rolled out patches for the problem and alerted about active exploitation in the wild.
Successful manipulation requires the appliance to be set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication, authorization, and auditing (AAA) virtual server.
CISA has not revealed the name of the organization that suffered the incident. The threat actor or the country purportedly behind it remains unknown.
In the incident investigated by CISA, the web shell is reported to have facilitated the collection of NetScaler configuration files, NetScaler decryption keys, and AD information, following which the data was transmitted as a PNG image file (“medialogininit.png”). The opponent’s subsequent attempts to move laterally across the network and execute commands to identify reachable targets and verify outbound network connectivity were obstructed due to stringent network segmentation practices, the agency highlighted, adding that the actors also tried to eliminate their artifacts to hide their activities.