Citrix NetScaler Hackers Webshells

The Cybersecurity and Infrastructure Security Agency (CISA) recently released a security advisory that indicates that threat actors have been exploiting a Zero-day vulnerability in Citrix ADC (Application Delivery Controller) and NetScaler Gateways.

A vulnerability was discovered that enabled the placement of a webshell on a non-production environment of a critical infrastructure organization. This was reported to CISA and Citrix Systems.

Threat actors exploited an unauthenticated, remote code execution vulnerability to drop these webshells on the environment and also attempted to laterally move to the domain controller. However, it was blocked due to network-segmentation controls.

CVE-2023-3519: Code Injection Vulnerability

This vulnerability can be exploited by a threat actor if the appliance is configured as a Gateway (VPN Virtual Server, RDP proxy etc.,) or Authentication, Authorization and Auditing (AAA) Server. The CVSS Score for this vulnerability is given as 9.8 (Critical).

Citrix systems has released patches for fixing this vulnerability. 

Affected Products

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1, now end of life
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

Technical Analysis

Threat actors uploaded a malicious TGZ file on the ADC appliance, which consisted of setuid binary, generic webshell and discovery script for conducting an SMB scan on the ADC. Furthermore, AD enumeration and data exfiltration were performed with the webshell. Additional activities performed by the threat actors include,

  • Viewing of NetScaler Configuration file (Contains encrypted passwords)
  • Viewing NetScaler Decryption Keys (Used for decrypting extracted passwords from Config file)
  • Conducting LDAP search via decrypted AD credentials and extracted data like Users, Computers, Groups, Subnets, Organisational Units, Contacts, Partitions, and Trusts 

Other queries by the threat actors were unsuccessful as the organization implemented a segmented environment for the ADC appliance. The exfiltration queries that failed are as follows

  • Execution of subnet-wide curl command for scanning internal network as well as checking for potential lateral movement targets
  • Outbound network connectivity with a ping command to
  • Subnet-wide host commands for DNS lookup 

Nevertheless, the threat actors also deleted the authorization config file /etc/auth.conf to prevent privileged users from logging in remotely. If an attempt by the organization was made to regain access to the server by rebooting into single user mode, it would delete the threat actors’ artifacts.

CISA has released a complete report about the MITRE ATT&CK framework, detection methods, mitigation and prevention steps. It is recommended for organizations to follow them and mitigate these kinds of breaches by threat actors.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.