Netscaler ADC bug exploited to breach US critical infrastructure org

The U.S. government has issued a warning regarding a breach in the network of a critical infrastructure organization within the country. This breach was orchestrated by threat actors who exploited a zero-day Remote Code Execution (RCE) vulnerability, specifically identified as CVE-2023-3519. This vulnerability is considered critical in the context of NetScaler ADC and Gateway, and Citrix has recently released patches to address it.

The intrusion took place in June, during which the attackers leveraged their access to pilfer Active Directory data.

Hackers exfiltrated AD data

In a recent advisory, CISA has highlighted that malicious actors exploited an unauthenticated remote code execution (RCE) vulnerability to implant a web shell on a non-production NetScaler Application Delivery Controller (ADC) appliance within the target’s environment. This backdoor enabled the attacker to perform various actions, including enumerating Active Directory (AD) objects such as users, groups, applications, and devices, as well as pilfering AD data.

It’s worth noting that the targeted NetScaler ADC appliance was isolated within the network, preventing the hackers from lateral movement to a domain controller, as per CISA’s assessment.

To assist organizations, especially those in critical infrastructure sectors, in determining potential compromises, CISA has provided an advisory containing tactics, techniques, and procedures (TTPs), along with detection methods.

During the initial exploitation phase, the threat actors uploaded a TGZ archive to the vulnerable appliance, containing a generic web shell, a discovery script, and a setuid binary. They proceeded to perform SMB scanning on the subnet and used the web shell to inspect and exfiltrate Active Directory inventory. Their specific areas of interest included NetScaler configuration files housing an encrypted password (with the decryption key on the ADC appliance), NetScaler decryption keys, and an inventory of AD elements.

To hide their actions, the attackers encrypted the discovery data using the OpenSSL library and prepared it for exfiltration to a web-accessible location in a compressed format, disguised as a tarball and pretending to be a PNG image.

In an attempt to cover their tracks, the hackers deleted the authorization file, which would normally hinder remote admin login. Restoring access may require a reboot into single-user mode, which could result in the removal of artifacts.

Given that threat actors exploited this vulnerability while it was a zero-day, it’s crucial for NetScaler administrators to promptly apply the latest updates provided by Citrix to address this issue.

Thousands of vulnerable servers exposed

The implanted backdoor provided the attacker with the capability to enumerate various Active Directory (AD) objects within the network, encompassing users, groups, applications, devices, and the theft of AD-related data.

Crucially, due to the isolated network environment in which the targeted NetScaler ADC appliance was located, the attackers were unable to pivot laterally toward a domain controller, according to CISA’s findings.

CISA has issued an advisory that includes tactics, techniques, and procedures (TTPs) and detection methodologies to assist organizations, particularly those within critical infrastructure sectors, in assessing whether their systems have been compromised.

In the initial stages of exploitation, the threat actors uploaded a TGZ archive onto the vulnerable appliance, containing a generic web shell, a discovery script, and a setuid binary. They proceeded to conduct SMB scanning within the subnet and utilized the web shell to inspect and exfiltrate the Active Directory inventory. Their specific interests lay in several key areas:

• NetScaler configuration files containing encrypted passwords, with decryption keys residing on the ADC appliance.
• NetScaler decryption keys, which can unlock the AD password within the configuration file.
• A comprehensive inventory of users, systems, groups, subnets, organizational units, contacts, partitions, and trusts within the Active Directory.

The attacker encrypted the discovery data using the OpenSSL library and readied it for exfiltration in a compressed form, cleverly disguised as a tarball masquerading as a PNG image.

To conceal their actions, the hackers attempted to remove the authorization file, a move that would typically hinder remote admin login. Restoring access would necessitate a reboot into single-user mode, which might result in the deletion of artifacts.

Given that threat actors have been actively exploiting this vulnerability since its zero-day status, it is imperative for NetScaler administrators to expeditiously apply Citrix’s latest updates designed to rectify the issue.

Thousands of vulnerable servers exposed

In the initial assessment conducted by The Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, it was determined that CVE-2023-3519 was likely impacting over 11,000 NetScaler ADC and Gateway servers that were accessible online.

However, this figure has now risen to 15,000, as shared with BleepingComputer today. This increase is attributed to an improved query refinement, which categorized all NetScaler appliances returning a “last modified” header with a date before July 1st as vulnerable. Additionally, detection coverage for NetScaler AAA (authentication virtual server) machines has been enhanced. It’s important to note that this revised count is still considered a conservative estimate, according to the organization.

CISA has also taken steps to assist organizations by providing a set of commands that can be utilized to detect any indications of compromise resulting from the exploitation of CVE-2023-3519.

Command stacking leading to root

Citrix addressed CVE-2023-3519 on July 18, along with two other vulnerabilities of lesser severity. One of these is a reflected cross-site scripting (XSS) issue with a severity score of 8.3, identified as CVE-2023-3466. To exploit this vulnerability, an attacker needs to have a victim on the same network as the vulnerable appliance load a malicious link in their browser.

The other vulnerability is a privilege escalation to root, known as CVE-2023-3467, with an 8.0 severity score. This vulnerability can be leveraged by an attacker with the least privileged role to the NetScaler command-line interface (CLI). Researchers at Resillion, Jorren Geurts and Wouter Rijkborst, published a detailed technical analysis of this vulnerability, explaining how specific commands in the NetScaler CLI can allow a user with read-only permissions to obtain root privileges on the system.

While there is currently no information about these less severe vulnerabilities being exploited in the wild, it’s important to note that threat actors who already have access to the network could potentially use them to further expand their access.

The recent breaches of The Estée Lauder Companies by the Clop and ALPHV/BlackCat ransomware gangs highlight the persistence of threat actors within compromised networks. These advanced groups may not rush to move laterally in the victim network, sometimes opting for a more silent approach to find less noisy and more effective attack methods.

Attention: CLICK HERE to follow our facebook page