GreyNoise Launches Block: Fully configurable, real-time blocklists
The critical CVE-2023-3519 Citrix flaw was discovered in mid-July 2023 as a zero-day, with attackers actively exploiting it to execute code remotely without authentication on vulnerable devices. In June 2023, threat actors exploited this vulnerability to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance.
The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller, but network-segmentation controls for the appliance blocked movement.
A week after Citrix made security updates available to address the problem, Shadowserver reported that there were still 15,000 internet-exposed appliances that hadn't applied the patches. Even for organizations that installed the security updates, the risk of being compromised remains, as the patch does not remove malware, backdoors, and webshells planted by the attackers in the post-compromise phase.
In August 2023, CISA received tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) from an additional victim and trusted third parties. This information was used to update the Cybersecurity Advisory to assist administrators with detecting and responding to this activity.
Also in August, GreyNoise Labs did a deep-dive into CVE-2023-3519 as there was a great deal of chatter and confusion around just how exploits were being crafted and where, deep within the Citrix codebase, the flaws existed.
Despite the availability of patches, the risk of being compromised remains high. The patch does not remove malware, backdoors, and webshells planted by the attackers in the post-compromise phase. This means that even patched systems could still be under the control of attackers if they were compromised before the patch was applied.
Furthermore, the vulnerability has been exploited by state-sponsored threat actors and ransomware groups, indicating its high value for malicious activities. Therefore, it is crucial for defenders to not only apply the patches, but also to check for signs of compromise and clean up any potential backdoors or webshells.
