threat-analysis

Active Exploitation of Unpatched Citrix Devices

August 2, 2023

On 18 July 2023, Citrix issued an advisory stating that a Remote Code Execution (RCE) vulnerability in older installations of NettScaler ADC was being actively exploited in the wild. The RCE vulnerability was assigned CVE-2023-3519 with a CVSS severity score of 9.8. There were 2 additional CVEs disclosed in the advisory CVE-2023-3466 and CVE-2023-3467.

The products affected by the vulnerabilities are as follows:

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC and NetScaler Gateway version 12.1 (EOL)
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297
NetScaler ADC 12.1-NDcPP before 12.1-55.297

The Cybersecurity and Infrastructure Security Agency (CISA) disclosed that CVE-2023-3519 was used in an attack against critical infrastructure. The attacker leveraged the RCE vulnerability to drop a web shell to enumerate and exfiltrate Active Directory data.

Analysis: Threat actors have increased targeting of Software-as-a-Service providers as a method of gathering more victims and as an adjustment to organizations moving to more cloud-based solutions. Recent compromises like MoveIT by Cl0p and Fortinet FortiOS by Chinese threat actors will be more common vectors of approach by threat actors.

Actions: Citrix has released a patch for the vulnerabilities, but for organizations that are unable to patch or require further guidance, detection methods and Indicators of Compromise will be available in the TECHNICAL DETAILS portion of this report.

TECHNICAL DETAILS

Detection methods

Check for newer files than the last installation
Modify the -newermt parameter with date that corresponds to your last installation
- find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
- find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
- find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
Check http error logs for abnormalities that may be from initial exploit:
- zgrep ‘\.sh’ /var/log/httperror.log*
- zgrep ‘\.php’ /var/log/httperror.log*
Check shell logs for unusual post-ex commands, for example:
- grep ‘/flash/nsconfig/keys’ /var/log/sh.log*
Look for setuid binaries dropped:
- find /var -perm -4000 -user root -not -path “/var/nslog/*” -newermt [YYYYMMDD] -exec ls -l {} \;
Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection.
If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below):
- database.php
- ns_gui/vpn
- /flash/nsconfig/keys/updated
- LDAPTLS_REQCERT
- Ldapsearch
- openssl + salt
Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

IOCs

14.1.1.0	IP Address
12.2.1.4	IP Address
6.4.0.0	IP Address
3.0.0.4	IP Address
8.1.0.0	IP Address
21.0.7.4	IP Address
2.0.2.2	IP Address
21.4.3.0	IP Address
3.5.0.1	IP Address
1.44.7.1	IP Address
9.2.7.4	IP Address
1.45.4.1	IP Address
3.1.1.3	IP Address
1.7.42.2	IP Address
11.1.2.3	IP Address
7.0.0.0	IP Address
21.0.7.6	IP Address
9.1.0.4	IP Address
1.46.6.1	IP Address
1.43.7.2	IP Address
3.5.6.9	IP Address
7.6.0.3	IP Address
3.2.0.0	IP Address
11.2.13.0	IP Address
8.1.4.0	IP Address
3.1.0.2	IP Address
1.7.8.2	IP Address
8.1.17.0	IP Address
ec78daac7c3d97966f2e3703ca5d1685	MD5
9789d70454a47764b611afc8e84d6c0d	MD5
a4eda2813d85d8b414bb87e855ab4bf8	MD5
9fe61cf2edee63152161ffc52c39f6cd	MD5
c96d775881f0476b9ef465dba9c6d9b8	MD5
6c05518b807d014ee8edb811041e3de232520c28	SHA-1
71bbed12f950de8335006d7f91112263d8504f1b	SHA-1
98a0688036e9dbcf43fa84960d9a1ef3e09a69cf	SHA-1
043e3c7dd683113e2b1c15cacb9c8e68f76513ff	SHA-1
46f4ebbe842620f0976a36741a72482620aa4b48	SHA-1
f4b1c488206e1b1581b06fcd331686846f13f19c	SHA-1
28282bc644054e157c3b9a3d38f1f9551ce09074	SHA-1
52b003d915761f1581ae2d105f3cbe76df7bf1ff	SHA-1
8173f6512ab6183fa5edc5c9a5f3760b8979271e	SHA-1
00e2f5eea29994d19293ec4e8c8775ba73678598	SHA-1
6cbea7d29b5285692843bc1c351abba1a7ef326f	SHA-1
9708fda28ccd0466cb0a8fd409854ab4d92f7dca	SHA-1
6323b355bd7f5d2ce85d0244fe0883af3881df4e	SHA-1
d9c88ddc4c0c78fa534bd33237e95dea66003d29	SHA-1
7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e	SHA-1
6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc	SHA-1
02f76c401d17e409ed45bf7887148fcc22c93c85	SHA-1
8a2dc82148844767f7c7728633a03dcee812e56a	SHA-1
e9c1e65d58b47aec8cd676bd5c07d97b002f205e	SHA-1
7cd8d016edc74a78af0d81c948bfafbcc93c937c	SHA-1
b4a402f41cf44b6094b5131286830ba9bb1eb290	SHA-1
4bedf9eee016286c835e3d8fa981ddece5338795	SHA-1
0237527b3244d251fa5ecd4912dfe4f8b2125c54	SHA-1
d64a487407d6f9685d3907206954a6c84c6fa621	SHA-1
e641968979d4a2377bbea5e2a76bdede040d0b97	SHA-1
5aea738463960d81821c11ae7ade1d627a46bf32	SHA-1
85fa76d77ed69927d24decf476e69bedc7691f48	SHA-1
8beaace082b325e693dc7682029a3cb7e6c2b69d	SHA-1
391dd7f0f239020c46bf057cfa25f82031fc15f7	SHA-1
7bc29a9d5cd697290aa056e94ecee6253d3425f8	SHA-1
d75888a9b14baaad591548463cca09dfd1395236	SHA-1
2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d	SHA-1
443d61d1fa9faa60ef925513d83742902390100f	SHA-1
0f03b3e5b7c1409998a13aba3a95396e6fa349d8	SHA-1
9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40	SHA-1
368ba06881c395f1c9a7ba22203cf8d78b4addc0	SHA-1
6ecaab1d375f33165fe98d06d92f36c949c0ea11	SHA-1
7c18543d126e8a567b83bb4535631825aaa9d742	SHA-1
04c55383fa5689357bcdd2c8036725a55ed632bc	SHA-1
dcaad2540f7d50c512ff2e031d3778dd9337db2b	SHA-1
0ef151550d96cc4460f98832df84b4a1e87c65e9	SHA-1
8780a896543a654e757db1b9396383f9d8095528	SHA-1
3e337087c3b5805fe0b8a46ba622a962880b5d64	SHA-1
6dde93758d42455cb90ef324407919ed67668b9b	SHA-1
ca54623333875b9beaad92c999a92b015c44b079	SHA-1
019114cb788d954c5d1b36d6c62418619e93a757	SHA-1
83ca1abb11ffe34211db55dcd36d96b94252827a	SHA-1
0662b99dfdec1ce07439eb7bed02d90320acc721	SHA-1
dd59cbac5f86057d6a73b87007c08b8bfa0c32ac	SHA-1
a4b154bdf35b3465320136fcb078f196b437c2f1	SHA-1
b4c62101a43051fc7f5349c7d0a5b6085375c1d7	SHA-1
9a0a4d3c1e7138915563c0df4fe6a3f9377b839c	SHA-1
e17b80cff4975ee343568ff526b62319f499005d	SHA-1
c67bbd8756f015e33e4ba639a40c7f9d8bd9e8ab	SHA-1
fffb0b52d5258554c645c966c6cbef7de50b851d	SHA-1
95ce3d86bd2c53009108ffda2dcf553312d733db	SHA-1
fc9867c1e03c22ebf56943be205202e576aabf23	SHA-1
705bf1facbffd2ca40b159b0303132b6fdf657ad	SHA-1
22fcd34c606f32129ebc967fc21f24fb708a98b8	SHA-1
305ce4ff789261df7e3f6e72363d0703e025f80d	SHA-1
94e1c001761373b7d9450768aa15d04c25547a35	SHA-1
1c1bcf2d3ea061613119b534f57507c377df20f9	SHA-1
f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f	SHA-1
b37b46019553089db4f22eb2fe998bca84b2cb64	SHA-1
7fd2219f194a9ef2a8901bb131c5fa12272305ce	SHA-1
92811f07d39e4ad95c92003868f5f7309489d79c	SHA-1
f03a4faa55c4ce0818324701dadbf91988d7351d	SHA-1
2ee636d318653fb1ab193803dafbfe3e371d4130	SHA-1
529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c	SHA-1
f8f5a6b003981bb824329dc987d101977beda7ca	SHA-1
d66585d14b1160712a8a9bfaf9769dd3da0e9a83	SHA-1
1fa20cf2f506113c761777127a38bce5068740eb	SHA-1
0323bce598eea038714f941ce2b22541c46d488f	SHA-1
f1a411873c85b642f13b01f21b534c2bab81fc1b	SHA-1

Back to All Posts