Security News > 2023 > July > Citrix ADC zero-day exploitatation: CISA releases details about attack on CI organization (CVE-2023-3519)

The exploitation of the Citrix NetScaler ADC zero-day vulnerability was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency.

"In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim's active directory and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement," the agency shared in an advisory published on Thursday.

The attack was reported to CISA and Citrix in July 2023, and Citrix announced fixes for it on July 18.

The security bulletin mentioned that "Exploits of CVE-2023-3519 on unmitigated appliances have been observed," but no additional details about the attacks or how to check whether an organizations had been a target had been publicly shared.

"As we hear from the Citrix community, more and more attacked systems are being found. The first exploits have also been available for purchase on the dark web for some time," German IT consultant Manuel Winkel said on July 19.

CISA's advisory offers more details about the threat actor activity in the attack detected at the critical infrastructure organization, delineates attack detection methods, and offers advice on incident response if compromise is detected.

News URL

https://www.helpnetsecurity.com/2023/07/21/cve-2023-3519-exploitation/