Threat actors breached the network of U.S organizations in critical infrastructure by exploiting a zero-day RCE vulnerability in NetScaler ADC and Gateway.
Threat actors breached the network of U.S organizations in critical infrastructure by exploiting a zero-day RCE vulnerability in NetScaler ADC and Gateway.
Earlier this week, Citrix released patches for the issue and warned of active in-the-wild exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) says that the attack occurred in June, and hackers used their access to steal Active Directory data.
The vulnerability identified as CVE-2023-3519 (CVSS rating: 9.8) is a code injection bug that could result in unauthenticated remote code execution.
As part of their initial exploit chain, the threat actors uploaded a TGZ (compressed archive) file containing a generic webshell, discovery script, and setuid binary on the NetScaler Application Delivery Controller ADC appliance. They conducted SMB (Microsoft Server Message Block protocol) scanning on the subnet.
Webshell enables the threat actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller, but network segmentation controls for the appliance blocked the movement, CISA says.
CISA has released an advisory with tactics, techniques, and procedures (TTPs) along with detection methods to help organizations, particularly those in the critical infrastructure segment, determine if their systems were compromised.
The attacker encrypted the discovery data using the OpenSSL library and readied it for exfiltration to a web-accessible location in compressed form as a PNG image file.
Vulnerabilities in gateway products such as NetScaler ADC and NetScaler Gateway have become popular targets for threat actors seeking privileged access to targeted networks. NetScaler users must move quickly to apply the latest fixes to secure against potential threats.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.