Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells - 20230721002

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway.

This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. The WA SOC encourages critical infrastructure organisations to use the detection guidance provided in this advisory by CISA to aid in identifying or determining of any system compromise(s).

What is the vulnerability?

CVE-2023-3519 - CVSS v3 Base Score: 9.8

CVE-2023-3519 is an unauthenticated RCE vulnerability which allows an adversary to execute arbitrary code on vulnerable devices.

What is vulnerable?

This vulnerability affects the following versions of NetScaler ADC and NetScaler Gateways:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1, now end of life
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-65.36
• NetScaler ADC 12.1-NDcPP before 12.65.36

The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.

Please refer to CISA's Security Advisory for details of Threat Actor Activity and a list of referenced Tactics and Techniques used by the threat actors.

Detection Methods

Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

1. Check for files newer than the last installation.
2. Modify the -newermt parameter with the date that corresponds to your last installation:
   • find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} \;
   • find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
   • find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
   • find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
3. Check http error logs for abnormalities that may be from initial exploit:
   • grep '\.sh' /var/log/httperror.log*
   • grep '\.php' /var/log/httperror.log*
4. Check shell logs for unusual post-ex commands, for example:
   • grep '/flash/nsconfig/keys' /var/log/sh.log*
5. Look for setuid binaries dropped:
   • find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt [YYYYMMDD] -exec ls -l {} \;
6. Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
7. Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
8. Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
9. Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
10. Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
11. Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection.
12. If logon restriction is configured for the AD account, check event 4625 where the failure reason is "User not allowed to logon at this computer."
13. Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below):
    • database.php
    • ns_gui/vpn
    • /flash/nsconfig/keys/updated
    • LDAPTLS_REQCERT
    • ldapsearch
    • openssl + salt
14. Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

Incident Response

If compromise is detected, organizations should:

1. Quarantine or take offline potentially affected hosts.
2. Reimage compromised hosts.
3. Provision new account credentials.
4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
5. If applicable, share/report the incident to WA SOC and ACSC.

Mitigations

The WA SOC recommends the following mitigations:

• Install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. Please find Citrix ADC and Citrix Gateway Security updates for patch information.

• Follow best cybersecurity practices in your production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services. For additional best practices, see CISA's Cross-Sector Cybersecurity Performance Goals (CPGs).

• As a longer-term effort, apply robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.

For additional information on validating security controls, please refer to CISA's Security Advisory.

Additional References

• Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells | CISA

• Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)