The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA).
“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement,” the agency shared in an advisory published on Thursday.
IoCs, IR and mitigation advice
The attack was reported to CISA and Citrix in July 2023, and Citrix announced fixes for it on July 18.
The security bulletin mentioned that “exploits of CVE-2023-3519 on unmitigated appliances have been observed,” but no additional details about the attacks or how to check whether an organizations had been a target had been publicly shared.
A list of indicators of compromise (IoCs) had been shared with select organizations, under the understanding that the info would not be widely shared (i.e., that the contents would be restricted to those organization and shared with its clients “on a need-to-know basis”).
“As we hear from the Citrix community, more and more attacked systems are being found. The first exploits have also been available for purchase on the dark web for some time,” German IT consultant Manuel Winkel said on July 19.
He shared advice on how to check whether one’s organization has been hit, and advised on what to do if the result is positive.
CISA’s advisory offers more details about the threat actor activity in the attack detected at the critical infrastructure organization, delineates attack detection methods, and offers advice on incident response if compromise is detected.
In-the-wild exploitation of CVE-2023-3519
Greynoise has created a tag to show in-the-wild probing of internet-facing NetScaler ADC platforms and Gateways with authentication attempts through CVE-2023-3519, but so far there have been no detections.
If what Winkel says is true – namely, that first exploits for CVE-2023-3519 have been available for purchase on the dark web for a while – it’s possible that there are many compromised organizations out there who didn’t manage to block the attackers’ lateral movement.
It’s currently impossible to say what the attackers’ ultimate goal is, but affected organizations may discover it soon if they don’t react quickly.
UPDATE (July 22, 2023, 10:55 a.m. ET):
Based on their analysis of a compromised appliance, Mandiant has also published their own findings related to in-the-wild attacks, along with remediation, hardening, and threat hunting advice.