![]() ![]() The actors deleted the authorization configuration file ( /etc/nf)-likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI). The actors also attempted to delete their artifacts. Executed host commands for a subnet-wide DNS lookup.Verified outbound network connectivity with a ping command ( ping -c 1 ).Execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets.The actors’ other discovery activities were unsuccessful due to the critical infrastructure organization’s deployment of their NetScaler ADC appliance in a segmented environment. Exfiltrated collected data by uploading as an image file to a web-accessible path : cp /var/tmp/ /netscaler/ns_gui/vpn/medialogininit.png.(A “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration.) Used the following command to encrypt discovery data collected via openssl in “tar ball” : tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k -out /var/tmp/.Organizational Units ( objectClass=organizationalUnit).Users ( objectClass=user) ( objectcategory=person).Used the decrypted AD credential to query the AD via ldapsearch.Viewed the NetScaler decryption keys (to decrypt the AD credential from the configuration file).Note: These configuration files contain an encrypted password that can be decrypted by the key stored on the ADC appliance. Viewed NetScaler configuration files /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf .The actors used the webshell for AD enumeration and to exfiltrate AD data. Threat Actor ActivityĪs part of their initial exploit chain, the threat actors uploaded a TGZ file containing a generic webshell, discovery script, and setuid binary on the ADC appliance and conducted SMB scanning on the subnet. The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.ĬISA added CVE-2023-3519 to its Known Exploited Vulnerabilities Catalog on July 19, 2023. NetScaler ADC and NetScaler Gateway version 12.1, now end of life.NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13.NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13.CVE-2023-3519ĬVE-2023-3519 is an unauthenticated RCE vulnerability affecting the following versions of NetScaler ADC and NetScaler Gateway: Citrix released a patch on July 18, 2023. Citrix confirmed that the actors exploited a zero-day vulnerability: CVE-2023-3519. In July 2023, a critical infrastructure organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. If no compromise is detected, organizations should immediately apply patches provided by Citrix. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. Citrix released a patch for this vulnerability on July 18, 2023. The victim organization identified the compromise and reported the activity to CISA and Citrix. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |