The Cybersecurity and Infrastructure Security Agency (CISA) has reported that unidentified threat actors breached a US organization operating in the critical infrastructure sector. The attackers exploited a zero-day remote code execution (RCE) vulnerability, known as CVE-2023-3519, in Citrix's NetScaler ADC and Gateway systems. The breach, which took place in June, resulted in the theft of Active Directory data.
The attackers exploited the RCE vulnerability to implant a webshell on the target's non-production NetScaler ADC appliance. This backdoor allowed the hackers to discover and steal Active Directory data, including information about users, groups, applications, and devices on the network. However, due to the targeted ADC appliance's isolated location within the network, the hackers were unable to move laterally to a domain controller.
In response to the attack, CISA has issued an advisory detailing the tactics, techniques, and procedures (TTPs) used by the threat actors. The advisory also provides detection methods to help organizations, particularly those in the critical infrastructure sector, determine whether their systems have been compromised.
The attackers initially exploited the vulnerability by uploading a TGZ archive to the vulnerable appliance, which contained a generic webshell, a discovery script, and a setuid binary. They performed SMB scanning on the subnet and used the webshell to check and exfiltrate Active Directory inventory. The attackers encrypted the discovery data using the OpenSSL library and prepared it for exfiltration to a web-accessible location in compressed form as a tarball disguised as a PNG image.
According to the non-profit security organization The Shadowserver Foundation, more than 11,000 NetScaler ADC and Gateway servers exposed online are likely affected by CVE-2023-3519. This figure increased to 15,000 after refining their query to tag all NetScaler appliances that returned a 'last modified' header with a date before July 1st as vulnerable.
Citrix released a patch for CVE-2023-3519 on July 18, along with two less severe vulnerabilities: a reflected cross-site scripting (XSS) bug with an 8.3 severity score (CVE-2023-3466) and a privilege escalation to root identified as CVE-2023-3467 with an 8.0 severity score. There is currently no information about these less severe vulnerabilities being exploited in the wild, but threat actors that already have access to the network could leverage them to increase their access on the network.
Recently, The Estée Lauder Companies experienced two separate breaches from the Clop and ALPHV/BlackCat ransomware gangs through the MOVEit zero-day vulnerability. It remains unclear how ALPH/BlackCat obtained initial access, but the gang bragged that two weeks after the company engaged Microsoft DART and Mandiant services to deal with the first incident, they were still on the network.