Threat actors exfiltrated data from a critical infrastructure organization by exploiting a now-patched zero-day bug in a NetScaler application delivery controller (ADC), the Cybersecurity and Infrastructure Security Agency (CISA) said.
The incident was revealed in a cybersecurity advisory (CSA) published by CISA on Thursday. The agency said the attack occurred last month but did not name the targeted organization, or say which industry sector it operated in.
The threat actors were able to steal Microsoft Active Directory permissions and control data from the organization by exploiting a remote code execution (RCE) vulnerability Citrix disclosed, and released a patch for, earlier in the week.
The critical-level vulnerability, CVE-2023-3519, which has a CVSS v3 rating of 9.8, was one of three flaws disclosed by Citrix on Tuesday, affecting several versions of the company’s NetScaler ADC and NetScaler Gateway appliances.
Attack targeted Active Directory data
For exploitation of the vulnerability to be possible, the affected appliances must be configured as gateways (VPN virtual servers, ICA proxies, CVPNs, or RDP proxies) or as authentication, authorization, and auditing (AAA) virtual servers.
In its advisory, CISA said last month’s attack involved the threat actors exploiting the vulnerability as a zero-day bug to drop a webshell on the victim organization’s non-production environment NetScaler ADC appliance.
“As part of their initial exploit chain, the threat actors uploaded a TGZ (compressed archive) file containing a generic webshell, discovery script, and setuid binary on the ADC appliance and conducted SMB (Microsoft Server Message Block protocol) scanning on the subnet,” the advisory said.
The webshell enabled the attackers to perform discovery on the victim organization’s Active Directory and collect and exfiltrate Active Directory data.
“The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement,” CISA said. “The actors implanted a second webshell on the victim that they later removed. This was likely a PHP shell with proxying capability.”
Exploits expected to increase quickly
The vulnerability was one of three affecting NetScaler ADC and NetScaler Gateway appliances Citrix disclosed and issued patches for on Tuesday. The other vulnerabilities were CVE-2023-3466 (CVSS rating: 8.3), an improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack, and CVE-2023-3467 (CVSS rating: 8.0), an improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot).
Also on Tuesday, Rapid7 senior manager of vulnerability research, Caitlin Condon, posted about the three vulnerabilities. She said the NetScaler ADC and NetScaler Gateway appliances were “a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly”.
“Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur,” she said.
CISA said critical infrastructure organizations should use the detection guidance included in its advisory to help determine if their system had been compromised by the RCE vulnerability.
“If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA,” the agency said. “If no compromise is detected, organizations should immediately apply patches provided by Citrix.”
Based on evidence that the RCE bug was being actively exploited, CISA on Wednesday added it to its Known Exploited Vulnerabilities (KEV) catalog. The KEV listing means all Federal Civilian Executive Branch (FCEB) government agencies are required to take steps to remediate the vulnerability by August 9. CISA “strongly recommends” all non-FCEB organizations that could be exposed to the threat of exploitation follow suit.