Active Exploitation of Unpatched Citrix Devices

August 2, 2023

On 18 July 2023, Citrix issued an advisory stating that a Remote Code Execution (RCE) vulnerability in older installations of NettScaler ADC was being actively exploited in the wild. The RCE vulnerability was assigned CVE-2023-3519 with a CVSS severity score of 9.8. There were 2 additional CVEs disclosed in the advisory CVE-2023-3466 and CVE-2023-3467. 

The products affected by the vulnerabilities are as follows:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1 (EOL) 
  • NetScaler ADC 13.1-FIPS before 13.1-37.159 
  • NetScaler ADC 12.1-FIPS before 12.1-55.297 
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297 

The Cybersecurity and Infrastructure Security Agency (CISA) disclosed that CVE-2023-3519 was used in an attack against critical infrastructure. The attacker leveraged the RCE vulnerability to drop a web shell to enumerate and exfiltrate Active Directory data. 

Analysis: Threat actors have increased targeting of Software-as-a-Service providers as a method of gathering more victims and as an adjustment to organizations moving to more cloud-based solutions. Recent compromises like MoveIT by Cl0p and Fortinet FortiOS by Chinese threat actors will be more common vectors of approach by threat actors. 

Actions: Citrix has released a patch for the vulnerabilities, but for organizations that are unable to patch or require further guidance, detection methods and Indicators of Compromise will be available in the TECHNICAL DETAILS portion of this report. 


Detection methods 

  1. Check for newer files than the last installation 
  2. Modify the -newermt parameter with date that corresponds to your last installation
    • find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \; 
    • find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \; 
    • find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \; 
  3. Check http error logs for abnormalities that may be from initial exploit: 
    • zgrep ‘\.sh’ /var/log/httperror.log* 
    • zgrep ‘\.php’ /var/log/httperror.log* 
  4. Check shell logs for unusual post-ex commands, for example: 
    • grep ‘/flash/nsconfig/keys’ /var/log/sh.log* 
  5. Look for setuid binaries dropped: 
    • find /var -perm -4000 -user root -not -path “/var/nslog/*” -newermt [YYYYMMDD] -exec ls -l {} \; 
  6. Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC. 
  7. Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects). 
  8. Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration). 
  9. Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell). 
  10. Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration. 
  11. Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection. 
  12. If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.” 
  13. Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below): 
    • database.php 
    • ns_gui/vpn 
    • /flash/nsconfig/keys/updated 
    • Ldapsearch 
    • openssl + salt 
  14. Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources. 

IOCs  IP Address  IP Address IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address  IP Address 
ec78daac7c3d97966f2e3703ca5d1685  MD5
9789d70454a47764b611afc8e84d6c0d  MD5
a4eda2813d85d8b414bb87e855ab4bf8 MD5
9fe61cf2edee63152161ffc52c39f6cd  MD5
c96d775881f0476b9ef465dba9c6d9b8  MD5
6c05518b807d014ee8edb811041e3de232520c28  SHA-1 
71bbed12f950de8335006d7f91112263d8504f1b  SHA-1 
98a0688036e9dbcf43fa84960d9a1ef3e09a69cf SHA-1 
043e3c7dd683113e2b1c15cacb9c8e68f76513ff SHA-1 
46f4ebbe842620f0976a36741a72482620aa4b48 SHA-1 
f4b1c488206e1b1581b06fcd331686846f13f19c SHA-1 
28282bc644054e157c3b9a3d38f1f9551ce09074  SHA-1
52b003d915761f1581ae2d105f3cbe76df7bf1ff  SHA-1
8173f6512ab6183fa5edc5c9a5f3760b8979271e  SHA-1
00e2f5eea29994d19293ec4e8c8775ba73678598 SHA-1
6cbea7d29b5285692843bc1c351abba1a7ef326f  SHA-1
9708fda28ccd0466cb0a8fd409854ab4d92f7dca SHA-1
6323b355bd7f5d2ce85d0244fe0883af3881df4e  SHA-1
d9c88ddc4c0c78fa534bd33237e95dea66003d29  SHA-1
7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e  SHA-1
6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc  SHA-1
02f76c401d17e409ed45bf7887148fcc22c93c85  SHA-1
8a2dc82148844767f7c7728633a03dcee812e56a  SHA-1
e9c1e65d58b47aec8cd676bd5c07d97b002f205e  SHA-1
7cd8d016edc74a78af0d81c948bfafbcc93c937c  SHA-1
b4a402f41cf44b6094b5131286830ba9bb1eb290 SHA-1
4bedf9eee016286c835e3d8fa981ddece5338795  SHA-1
0237527b3244d251fa5ecd4912dfe4f8b2125c54  SHA-1
d64a487407d6f9685d3907206954a6c84c6fa621  SHA-1
e641968979d4a2377bbea5e2a76bdede040d0b97 SHA-1
5aea738463960d81821c11ae7ade1d627a46bf32  SHA-1
85fa76d77ed69927d24decf476e69bedc7691f48  SHA-1
8beaace082b325e693dc7682029a3cb7e6c2b69d SHA-1
391dd7f0f239020c46bf057cfa25f82031fc15f7  SHA-1
7bc29a9d5cd697290aa056e94ecee6253d3425f8  SHA-1
d75888a9b14baaad591548463cca09dfd1395236  SHA-1
2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d SHA-1
443d61d1fa9faa60ef925513d83742902390100f  SHA-1
0f03b3e5b7c1409998a13aba3a95396e6fa349d8 SHA-1
9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40  SHA-1
368ba06881c395f1c9a7ba22203cf8d78b4addc0 SHA-1
6ecaab1d375f33165fe98d06d92f36c949c0ea11  SHA-1
7c18543d126e8a567b83bb4535631825aaa9d742 SHA-1
04c55383fa5689357bcdd2c8036725a55ed632bc SHA-1
dcaad2540f7d50c512ff2e031d3778dd9337db2b SHA-1
0ef151550d96cc4460f98832df84b4a1e87c65e9  SHA-1
8780a896543a654e757db1b9396383f9d8095528  SHA-1
3e337087c3b5805fe0b8a46ba622a962880b5d64 SHA-1
6dde93758d42455cb90ef324407919ed67668b9b  SHA-1
ca54623333875b9beaad92c999a92b015c44b079 SHA-1
019114cb788d954c5d1b36d6c62418619e93a757 SHA-1
83ca1abb11ffe34211db55dcd36d96b94252827a SHA-1
0662b99dfdec1ce07439eb7bed02d90320acc721  SHA-1
dd59cbac5f86057d6a73b87007c08b8bfa0c32ac SHA-1
a4b154bdf35b3465320136fcb078f196b437c2f1 SHA-1
b4c62101a43051fc7f5349c7d0a5b6085375c1d7 SHA-1
9a0a4d3c1e7138915563c0df4fe6a3f9377b839c SHA-1
e17b80cff4975ee343568ff526b62319f499005d  SHA-1
c67bbd8756f015e33e4ba639a40c7f9d8bd9e8ab  SHA-1
fffb0b52d5258554c645c966c6cbef7de50b851d SHA-1
95ce3d86bd2c53009108ffda2dcf553312d733db SHA-1
fc9867c1e03c22ebf56943be205202e576aabf23 SHA-1
705bf1facbffd2ca40b159b0303132b6fdf657ad  SHA-1
22fcd34c606f32129ebc967fc21f24fb708a98b8 SHA-1
305ce4ff789261df7e3f6e72363d0703e025f80d SHA-1
94e1c001761373b7d9450768aa15d04c25547a35 SHA-1
1c1bcf2d3ea061613119b534f57507c377df20f9 SHA-1
f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f SHA-1
b37b46019553089db4f22eb2fe998bca84b2cb64 SHA-1
7fd2219f194a9ef2a8901bb131c5fa12272305ce SHA-1
92811f07d39e4ad95c92003868f5f7309489d79c  SHA-1
f03a4faa55c4ce0818324701dadbf91988d7351d SHA-1
2ee636d318653fb1ab193803dafbfe3e371d4130 SHA-1
529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c  SHA-1
f8f5a6b003981bb824329dc987d101977beda7ca SHA-1
d66585d14b1160712a8a9bfaf9769dd3da0e9a83 SHA-1
1fa20cf2f506113c761777127a38bce5068740eb SHA-1
0323bce598eea038714f941ce2b22541c46d488f SHA-1
f1a411873c85b642f13b01f21b534c2bab81fc1b SHA-1