"⚠️ #Updated: Citrix CVE-2023-3519 Exploitation - Webshells Implanted! ⚠️"

Initial Release Date: July 20, 2023

The CISA has updated the alarm on CVE-2023-3519, a severe RCE vulnerability in NetScaler (Citrix) ADC & Gateway. In June 2023, threat actors exploited this as a zero-day, compromising a critical infrastructure organization. They planted a webshell, enabling AD reconnaissance & data exfiltration. Thankfully, network-segmentation controls halted their lateral movement. Citrix has since released a patch. Stay vigilant!

Summary:
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding the exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. Threat actors exploited this vulnerability as a zero-day in June 2023, compromising a critical infrastructure organization's non-production environment NetScaler ADC appliance. The attackers planted a webshell, enabling them to perform Active Directory (AD) reconnaissance and data exfiltration. Although they attempted lateral movement to a domain controller, network-segmentation controls prevented their progress. Citrix released a patch on July 18, 2023.

Technical Details:

• CVE-2023-3519: This unauthenticated RCE vulnerability impacts various versions of NetScaler ADC and NetScaler Gateway. The affected appliance must be configured as a Gateway or for authentication, authorization, and auditing (AAA) to be exploited.

Threat Actor Activity (Victim 1):

• Initial exploit chain involved uploading a TGZ file containing a webshell, discovery script, and setuid binary.
• The webshell was used for AD enumeration and data exfiltration.
• NetScaler configuration files and decryption keys were accessed.
• Actors queried AD data and encrypted discovery data for exfiltration.
• Attempts to move laterally and delete artifacts were blocked by network-segmentation controls.

Update September 6, 2023: Victim 2:

• Actors uploaded a PHP webshell, gained root access, and conducted AD queries.
• Exfiltrated data and deleted files and logs.
• Used compromised pfSense devices for command and control (C2).

Additional Observed Activity:

• Actors leveraged open source webshells and tools for various purposes, including exfiltration, persistence, and tampering with monitoring tools.
• Modified open-source tools to capture and exfiltrate credentials.
• Deployed tunnellers for encrypted reverse TCP/TLS connections.
• Employed Sysinternals ADExplorer for AD reconnaissance.

Update September 6, 2023:
The advisory was updated with additional techniques, including infrastructure compromise, tool acquisition, scripting interpreter usage, autostart execution, multi-hop proxying, file deobfuscation, permissions modification, defense impairment, indicator removal, masquerading, data staging, and protocol tunneling.

Organizations are urged to apply the provided patches by Citrix and implement the detection guidance to identify potential system compromises. Incident response recommendations are included in the advisory for confirmed compromises, while vigilant monitoring and security measures are advised to prevent further exploitation.

Source: CISA Advisory - AA23-201A

Tags: #Cybersecurity #Citrix #CVE20233519 #NetScaler #ZeroDay #Webshell #DataExfiltration #PatchNow #StaySafe

Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched #Citrix #NetScaler systems exposed to the internet. Our data indicates strong similarity between #attacks using CVE-2023-3519 delivering #malware and #webshells and previous attacks using a number of the same #TTPs.

#Sophosxops #threatintel #cve20233519

We just published our #Rapid7 technical analysis of CVE-2023-3519 (#CVE_2023_3519 / #CVE20233519) - a stack-based buffer overflow in Citrix ADC! Got to work with my new co-worker @fulmetalpackets on this one for the first time!

https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519/rapid7-analysis

Aaand there's the PoC for CVE-2023-3519, courtesy of @BishopFox:

https://bishopfox.com/blog/citrix-adc-gateway-rce-cve-2023-3519

#CVE20233519 #ThreatIntel

Hey all, the recommended hunts for potential exploitation of CVE-2023-3519 involve searching for webshell-like files that are newer than the last patch of the system.

That's cool, and you should do it, but also be aware that timestomping is a very common technique used by attackers targeting *Nix systems with 0-days.

A more considered approach to hunting webshells may be valuable, such as entropy analysis within web-facing directories. And of course log analysis for abnormal commands post-exploitation.

#ThreatIntel #CVE20233519

Found a guide for NetScaler (Citrix ADC) CVE-2023-3519 that explains how to validate and check for (currently) known Indicators of Compromise (IoCs) on a local CITRIX device.

The full guide including the commands, can be found here: [Checklist for Citrix ADC CVE-2023-3519](https://www.deyda.net/index.php/en/2023/07/19/checklist-for-citrix-adc-cve-2023-3519/)

Please bear in mind that this is a guide "found on the internet". Although it appears to be reliable and it was mentioned by SANS stormcast, these devices are not my specific area of expertise. Use your brain and use at your own risk...

Here are some key points from the article:

1. **Log in with nsroot or another administrative account.**

2. **Find out the time of the last update.** - This command lists the details of the files in the /var/nsinstall directory, which can help determine when the last update occurred.
```
shell ls -ll /var/nsinstall
```

3. **Check whether certain files have been adjusted since the last update.** - These commands find and list files in specified directories that have been modified since the last update.
```
shell
find /netscaler/ns_gui/ -type f -name *.php -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/vpn/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/netscaler/logon/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/python/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

4. **Check for HTTP error log files.** - These commands search for .sh and .php entries in the HTTP error log files.
```
zgrep '\.sh' /var/log/httperror.log*
zgrep '\.php' /var/log/httperror.log*
```

5. **Check for Shell log files.** - This command searches for entries related to '/flash/nsconfig/keys' in the shell log files.
```
grep '/flash/nsconfig/keys' /var/log/sh.log*
```

6. **Check log files for known IOCs.** - This command finds and lists files with root permissions that have been modified since the last update.
```
find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

7. **Check for Nobody processes.** - This command lists processes running under the 'nobody' user that are not associated with '/bin/httpd'.
```
shell ps aux | grep nobody | grep -v '/bin/httpd'
```


#NetScaler #CitrixADC #CVE20233519 #SecurityGuide #IndicatorsOfCompromise #IoCs #InfoSec #CyberSecurity #VulnerabilityManagement #SecurityInvestigation #SysAdminTips #NetworkSecurity #CyberThreats #ITSecurity #OnlineSecurity #CyberAware #TechSafety #SecureNetworking #VulnerabilityScanning #InfoSecAwareness

CISA Cybersecurity Advisory on threat actors exploiting CVE-2023-3519, an unauthenticated remote code
execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller
(ADC) and NetScaler Gateway: https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf

#webshell #vulnerability #NetscalerADC #NetscalerGateway #cve20233519

Has anyone seen IoCs yet from CVE-2023-3519? Like actual known exploiters?

#CVE20233519 #ThreatIntel

For any other enterprise #IT peeps out there, I’ve spent most of today getting new #NetScaler firmware rolled out to our live environment for this one. It’s a doozy! 😬

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

#infosec #cve20233519 #cve20233466 #cve20233467 #patchYourSystems