An unidentified espionage-focused hacking group believed to be aligned to the Chinese government is being blamed for recent attacks against Citrix NetScaler application delivery controller (ADC) appliances exploiting a now-patched zero-day bug.
In another development, researchers say at least 15,000 NetScaler ADC and NetScaler Gateway servers are exposed to attacks leveraging the same remote code execution (RCE) vulnerability, tracked as CVE-2023-3519.
Last week, Citrix released a patch for the bug and the Cybersecurity and Infrastructure Security Agency (CISA) revealed the flaw was exploited in June to steal Microsoft Active Directory permissions and control data from an unnamed critical infrastructure organization.
In a blog post published on Friday, Mandiant said it was “actively involved in investigations involving recently compromised ADC appliances that were fully patched at the time of exploitation”.
The cybersecurity firm said while it was not able to attribute responsibility for the attacks based on the evidence it had so far collected, research into previous hacking operations, including against the same appliances last year, showed the attacks were consistent with the work of espionage threat actors linked to China.
Mandiant’s researchers noted that in December 2022, Citrix reported and patched a similar vulnerability in its ADC and Gateway appliances that was being actively exploited. At the same time, the National Security Agency released an advisory detailing how APT5 — a threat group tied to the Chinese government and known for stealing telecommunications and military application technologies in the U.S. and Asia — had been actively targeting Citrix ADC instances.
“Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments,” the researchers said.
Over 15,000 NetScaler servers vulnerable
Meanwhile, the Shadowserver Foundation tweeted on Friday that it believed at least 15,000 NetScaler servers were vulnerable to the exploit because they had not been patched.
“We tag all IPs where we see a version hash in a Citrix instance. This is due [to the] fact that Citrix has removed version hash information in recent revisions,” the nonprofit security organization said.
“Thus [it’s] safe to assume in our view all instances that still provide version hashes have not been updated and may be vulnerable.”
In its post, Mandiant said if attackers successfully exploited vulnerabilities found in internet-connected “edge devices” – including ADCs – they could gain initial access to a system without requiring human interaction.
“Notably since at least 2021, cyber espionage threat actors have focused on edge devices, particularly security, networking, and virtualization technologies to gain persistent access to victim networks, while evading detection,” the researchers said.
Multiple web shells discovered
In its advisory about the attack on the critical infrastructure organization, CISA said the threat actors dropped a web shell on the victim’s non-production environment ADC. The web shell enabled the attackers to perform discovery on the victim organization’s Active Directory and collect and exfiltrate Active Directory data.
Mandiant said it located a web shell in a compromised appliance it analyzed, which it believed was placed there as part of the initial attach vector.
“The threat actor used the web shell to modify the NetScaler configuration. In particular, they attempted to deactivate the NetScaler High Availability File Sync (nsfsyncd),” the researchers said.
“Additionally, the threat actor attempted to remove processes from the Citrix Monitor configured within the file /etc/monitrc before finally killing the Monitor process.”
Mandiant identified six additional web shells as well as malicious executable and link format (ELF) files uploaded to the vulnerable appliance by the attackers after their initial exploitation.
The threat actors also installed a persistent tunneler on the appliance that “provided encrypted reverse TCP/TLS connections to a hard-coded command and control address,” the researchers said.
Protecting against the vulnerability
Mandiant said while the ADC bug had been exploited in the wild, the exploit code was not yet publicly available. It recommended organizations patched the vulnerability as soon as possible. They should also consider whether their ADC or Gateway appliance management ports required unrestricted internet access, and limit access if possible.
Any appliances that were found to have been exploited should be rebuild, the researchers said, given the sophistication of the attackers. “The ADC upgrade process overwrites some, but not all, of the directories where threat actors may create web shells, potentially leaving the appliance in a compromised state.”