Threat actors have breached the network of a U.S. organization in the critical infrastructure sector after exploiting a zero-day RCE vulnerability currently identified as CVE-2023-3519, a critical-severity issue in NetScaler ADC and Gateway that Citrix patched this week.
The Cybersecurity and Infrastructure Security Agency (CISA) says that the attack occurred in June and hackers used their access to steal Active Directory data.
Hackers exfiltrated AD data
In an advisory this week, CISA warns that hackers leveraged the unauthenticated remote code execution (RCE) flaw to plant a webshell on the target’s non-production NetScaler Application Delivery Controller (ADC) appliance.
The backdoor enabled the attacker to discover active directory (AD) objects, which include users, groups, applications, and devices on the network, as well as steal AD data.
Because the targeted NetScaler ADC appliance was in a segregated environment on the network, the hackers were not able to move laterally to a domain controller, CISA says.
CISA has released an advisory with tactics, techniques, and procedures (TTPs) along with detection methods to help organizations, particularly those in the critical infrastructure segment, determine if their systems were compromised.
During the initial exploit stage, the hackers uploaded to the vulnerable appliance a TGZ archive with a generic webshell, a discovery script, and a setuid binary.
They did SMB scanning on the subnet and used the webshell to check and exfiltrate Active Directory inventory, with a particular interest in:
Support the originator by clicking the read the rest link below.
