An unverified, espionage-oriented hacker group, suspected to be affiliated with the Chinese government, is reportedly behind recent attacks on Citrix NetScaler Application Delivery Controller (ADC) appliances by exploiting a now-resolved zero-day flaw.
Researchers have raised concerns that roughly 15,000 NetScaler ADC and NetScaler Gateway servers are exposed to similar attacks, exploiting the remote code execution (RCE) vulnerability known as CVE-2023-3519.
Citrix issued a patch for the bug last week, soon after the Cybersecurity and Infrastructure Security Agency (CISA) reported the flaw was exploited in June to misappropriate Microsoft Active Directory permissions and seize data from an undisclosed critical infrastructure organization.
In a recent blog post, cybersecurity firm Mandiant declared it was “actively engaged in investigations surrounding recently breached ADC appliances, fully patched during the time of exploitation.”
Despite current evidence being insufficient to identify the culprits, Mandiant revealed that historical research of similar cyber intrusions, including attacks on identical appliances last year, correlate with the methods of threat actors associated with China.
In December 2022, Citrix had patched a similar vulnerability in its ADC and Gateway appliances, which were actively targeted. Concurrently, the National Security Agency issued an advisory about APT5 – a threat group with apparent ties to the Chinese government, notorious for stealing U.S. and Asian telecom and military application technologies – and its active targeting of Citrix ADC instances.
Over the years, Mandiant has investigated numerous intrusions at defense, government, technology, and telecommunications organizations, where suspected China-affiliated groups exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and secure long-term access.
In other news, the Shadowserver Foundation expressed concerns that around 15,000 NetScaler servers could be prone to exploits due to a lack of patching. The nonprofit security organization’s observations are based on Citrix’s removal of version hash information in recent revisions.
Mandiant stressed the risks associated with successful exploitation of vulnerabilities in internet-connected edge devices, including ADCs, which could allow threat actors initial access without requiring human interaction.
In an advisory about the critical infrastructure organization attack, CISA highlighted the attackers’ use of a web shell on the victim’s ADC, enabling them to explore the Active Directory and extract data.
Mandiant found a web shell in one of the compromised appliances it analyzed, alongside six additional web shells and malicious executable and link format (ELF) files. The threat actors reportedly installed a persistent tunneler, providing encrypted reverse TCP/TLS connections to a predetermined command and control address.
The cybersecurity firm has recommended organizations promptly patch the vulnerability, evaluate the necessity of unrestricted internet access for their ADC or Gateway appliance management ports, and limit access where possible.
Given the sophistication of these attacks, Mandiant suggests a total rebuild for any exploited appliances, citing the likelihood of compromised components remaining even after the upgrade process.