The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to alert network defenders about the exploitation of CVE-2023-3519, a remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to implant a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance.
The threat actors exploited the vulnerability to drop a webshell on the victim's ADC appliance. This enabled them to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but were blocked by network-segmentation controls for the appliance.
The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.
CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory to determine system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this advisory. If no compromise is detected, organizations should immediately apply patches provided by Citrix.
The advisory provides detailed technical information about the threat actors’ activity, including the tactics, techniques, and procedures (TTPs) used, and detection methods shared with CISA by the victim. The advisory also provides a comprehensive list of MITRE ATT&CK tactics and techniques used by the threat actors.
CISA recommends all organizations to install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. Organizations should follow best cybersecurity practices, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services. As a longer-term effort, apply robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.
This advisory serves as a reminder of the importance of maintaining up-to-date systems and implementing robust cybersecurity practices. Organizations are encouraged to review the advisory in detail and take the necessary steps to protect their systems and data.