August 28, 2023
The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued an advisory to raise awareness among network defenders about the exploitation of CVE-2023-3519, a critical remote code execution (RCE) vulnerability that affects NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. This exploitation occurred in June 2023, when threat actors leveraged this vulnerability as a zero-day attack vector to implant a webshell on a non-production environment NetScaler ADC appliance of a critical infrastructure organization.
Threat actors exploited the CVE-2023-3519 vulnerability to deploy a webshell on a victim's ADC appliance, giving them unauthorized access to the system. This allowed them to perform reconnaissance on the victim's active directory (AD), collect sensitive AD data, and exfiltrate it from the system. The actors also attempted to move laterally to a domain controller, but were fortunately thwarted by network-segmentation controls implemented for the appliance.
Upon identifying the compromise, the victim organization promptly reported the incident to CISA and Citrix. Subsequently, Citrix released a patch on July 18, 2023, to address the vulnerability.
CISA encourages critical infrastructure organizations to leverage the detection guidance provided in its advisory to identify any system compromises resulting from the recent cybersecurity incident. If potential compromise is detected, organizations should take immediate action to implement the recommended incident response protocols outlined in the advisory. For organizations that have not detected any signs of compromise, it is recommended to apply the patches provided by Citrix immediately.
Furthermore, the advisory provides detailed technical information about the threat actors' activity, including the tactics, techniques, and procedures (TTPs) used during the cyberattack, as well as detection methods shared by the victim with CISA.
The advisory also includes a comprehensive list of MITRE ATT&CK tactics and techniques employed by the threat actors.
CISA recommends all organizations to install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible to minimize the risks of potential exploitation.
In addition, organizations should implement best cybersecurity practices, such as mandating the use of phishing-resistant multifactor authentication (MFA) for all staff and services.
As a longer-term effort, organizations should also consider implementing robust network-segmentation controls on their NetScaler appliances and other Internet-facing devices.
If you suspect that you’ve been impacted by this vulnerability, it’s crucial to seek specialist assistance immediately.
As a leading DDoS mitigation service provider, Nexusguard will continue to monitor the situation, follow stringent security compliance rules and deploy the required updates to further harden our platform and services.
Nexusguard is a prominent provider of distributed denial of service (DDoS) security solutions, dedicated to combating malicious Internet attacks. Our comprehensive suite of services ensures uninterrupted Internet service, optimization, visibility, and performance. We also develop and deliver customized cybersecurity solutions to clients across diverse industries with unique business and technical needs, including enabling communications service providers to offer DDoS protection solutions as a service. For more details on Nexusguard’s flexible DDoS protection solutions, please click here.
