Security News > 2023 > July > Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action
The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory on Thursday warning that the newly disclosed critical security flaw in Citrix NetScaler Application Delivery Controller and Gateway devices is being abused to drop web shells on vulnerable systems.
"In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization's non-production environment NetScaler ADC appliance," the agency said.
"The web shell enabled the actors to perform discovery on the victim's active directory and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement."
In the incident analyzed by CISA, the web shell is said to have enabled the collection of NetScaler configuration files, NetScaler decryption keys, and AD information, after which the data was transmitted as a PNG image file.
The adversary's subsequent attempts to laterally move across the network as well as run commands to identify accessible targets and verify outbound network connectivity were thwarted due to robust network segmentation practices, the agency noted, adding the actors also attempted to delete their artifacts to cover up the tracks.
Vulnerabilities in gateway products such as NetScaler ADC and NetScaler Gateway have become popular targets for threat actors looking to obtain privileged access to targeted networks.
News URL
https://thehackernews.com/2023/07/citrix-netscaler-adc-and-gateway.html
Related news
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack (source)
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration (source)
- CISA warns of more Palo Alto Networks bugs exploited in attacks (source)
- CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed (source)
- CISA tags Progress Kemp LoadMaster flaw as exploited in attacks (source)