www.scmagazine.com
Open in
urlscan Pro
2606:4700:20::681a:c13
Public Scan
URL:
https://www.scmagazine.com/news/cloud-security/china-backed-hackers-suspected-netscaler-rce-attacks
Submission: On July 25 via api from TR — Scanned from DE
Submission: On July 25 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="w-100" scmag-registration="set">
<div class="my-2 font-sans"><label class="visually-hidden form-label" for="email">Business Email</label><input placeholder="Business Email*" required="" type="email" id="email" class="fs-7 text-black p-3 form-control" value=""></div>
<div class="fs-9 my-4">
<p>By clicking the Subscribe button below, you agree to SC Media <a class="text-underline" href="/terms-and-conditions" data-feathr-click-track="true" data-feathr-link-aids="["60071024bdb3f8d0470da8d6"]">Terms and Conditions</a><span>
and </span><a class="text-underline" href="/privacy-policy" data-feathr-click-track="true" data-feathr-link-aids="["60071024bdb3f8d0470da8d6"]">Privacy Policy</a>.</p>
</div><button type="submit" class="btn btn-primary">Subscribe</button>
</form>Text Content
Log inRegister Topics Events Podcasts Research Recognition Leadership About CRA ADVERTISEMENT Cloud security, Threat intelligence, Ransomware CHINA-BACKED HACKERS SUSPECTED IN NETSCALER RCE ATTACKS Simon HenderyJuly 24, 2023 An unidentified espionage-focused hacking group believed to be aligned to the Chinese government is being blamed for recent attacks against Citrix NetScaler application delivery controller (ADC) appliances exploiting a now-patched zero-day bug. In another development, researchers say at least 15,000 NetScaler ADC and NetScaler Gateway servers are exposed to attacks leveraging the same remote code execution (RCE) vulnerability, tracked as CVE-2023-3519. Last week, Citrix released a patch for the bug and the Cybersecurity and Infrastructure Security Agency (CISA) revealed the flaw was exploited in June to steal Microsoft Active Directory permissions and control data from an unnamed critical infrastructure organization. In a blog post published on Friday, Mandiant said it was “actively involved in investigations involving recently compromised ADC appliances that were fully patched at the time of exploitation.” ADVERTISEMENT The cybersecurity firm said while it was not able to attribute responsibility for the attacks based on the evidence it had so far collected, research into previous hacking operations, including against the same appliances last year, showed the attacks were consistent with the work of espionage threat actors linked to China. Mandiant’s researchers noted that in December 2022, Citrix reported and patched a similar vulnerability in its ADC and Gateway appliances that was being actively exploited. At the same time, the National Security Agency released an advisory detailing how APT5 — a threat group tied to the Chinese government and known for stealing telecommunications and military application technologies in the U.S. and Asia — had been actively targeting Citrix ADC instances. “Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments,” the researchers said. OVER 15,000 NETSCALER SERVERS VULNERABLE Meanwhile, the Shadowserver Foundation tweeted on Friday that it believed at least 15,000 NetScaler servers were vulnerable to the exploit because they had not been patched. “We tag all IPs where we see a version hash in a Citrix instance. This is due [to the] fact that Citrix has removed version hash information in recent revisions,” the nonprofit security organization said. “Thus [it’s] safe to assume in our view all instances that still provide version hashes have not been updated and may be vulnerable.” In its post, Mandiant said if attackers successfully exploited vulnerabilities found in internet-connected “edge devices” – including ADCs – they could gain initial access to a system without requiring human interaction. “Notably since at least 2021, cyber espionage threat actors have focused on edge devices, particularly security, networking, and virtualization technologies to gain persistent access to victim networks, while evading detection,” the researchers said. MULTIPLE WEB SHELLS DISCOVERED In its advisory about the attack on the critical infrastructure organization, CISA said the threat actors dropped a web shell on the victim’s non-production environment ADC. The web shell enabled the attackers to perform discovery on the victim organization’s Active Directory and collect and exfiltrate Active Directory data. Mandiant said it located a web shell in a compromised appliance it analyzed, which it believed was placed there as part of the initial attach vector. “The threat actor used the web shell to modify the NetScaler configuration. In particular, they attempted to deactivate the NetScaler High Availability File Sync (nsfsyncd),” the researchers said. “Additionally, the threat actor attempted to remove processes from the Citrix Monitor configured within the file /etc/monitrc before finally killing the Monitor process.” Mandiant identified six additional web shells as well as malicious executable and link format (ELF) files uploaded to the vulnerable appliance by the attackers after their initial exploitation. The threat actors also installed a persistent tunneler on the appliance that “provided encrypted reverse TCP/TLS connections to a hard-coded command and control address,” the researchers said. PROTECTING AGAINST THE VULNERABILITY Mandiant said while the ADC bug had been exploited in the wild, the exploit code was not yet publicly available. It recommended organizations patched the vulnerability as soon as possible. They should also consider whether their ADC or Gateway appliance management ports required unrestricted internet access, and limit access if possible. Any appliances that were found to have been exploited should be rebuild, the researchers said, given the sophistication of the attackers. “The ADC upgrade process overwrites some, but not all, of the directories where threat actors may create web shells, potentially leaving the appliance in a compromised state.” Simon Hendery Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments. RELATED Cloud security NORTH KOREAN THREAT GROUP TARGETED JUMPCLOUD SAAS-PROVIDER CUSTOMER Steve ZurierJuly 24, 2023 Mandiant Consulting reported that the attack on the SaaS provider tracks to TraderTraitor, a financially motivated North Korean group that targets blockchain companies. Cloud security NEW FREE CLOUD SECURITY TOOLS OFFERED BY CISA SC StaffJuly 20, 2023 The Cybersecurity and Infrastructure Security Agency has updated its free open-source cloud protection software toolkit with five new programs aimed at helping bolster cloud security posture and malicious activity detection, according to SiliconAngle. Third-party risk NORTH KOREAN-LINKED LAZARUS GROUP TIED TO SUPPLY CHAIN ATTACK ON JUMPCLOUD Steve ZurierJuly 20, 2023 Further research after Colorado-based JumpCloud invalidated its API keys two weeks ago led to indicators of compromise linked to North Korea. RELATED EVENTS * Cybercast SAAS DATA BACKUPS: AUTOMATED RESILIENCE & RECOVERY IN THE CLOUD On-Demand Event * Cybercast MODERN PRIVILEGED ACCESS MANAGEMENT IN THE CLOUD: WHAT’S IN, WHAT’S OUT? On-Demand Event * Cybercast TACKLING THE UNIQUE CHALLENGES OF KUBERNETES & CONTAINER SECURITY On-Demand Event ADVERTISEMENT GET DAILY EMAIL UPDATES SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy. Subscribe ADVERTISEMENT You can skip this ad in 1 seconds -------------------------------------------------------------------------------- ABOUT US SC MediaCyberRisk AllianceContact UsCareersPrivacy GET INVOLVED SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us EXPLORE Product reviewsResearchWhite papersWebcastsPodcasts Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization. Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions. COOKIES This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you. If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies. Accept cookies