July 2023 - SecurIT360

Citrix is alerting customers of a critical unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway. This vulnerability is being exploited in the wild and affected customers are strongly urged to install updated versions as soon as possible.

Tracked as CVE-2023-3519 (CVSSv3 score: 9.8 – Critical), the vulnerability allows unauthenticated remote attackers to execute arbitrary code on the affected appliance. Successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw only affects customer-managed NetScaler ADC and NetScaler Gateway. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are unaffected.

There are approximately 38,000 Citrix Gateway appliances exposed to the public internet. CVE-2023-3519 is one of three vulnerabilities patched that pose significant risks to customers. The others are CVE-2023-3466 (CVSSv3 score: 8.3 – High) and CVE-2023-3467 (CVSSv3 score: 8.0 – High). CVE-2023-3466 is an improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack. CVE-2023-3467 is an improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot).

At the time of writing, technical details about all three vulnerabilities are not publicly available.

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Vulnerable Products

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-65.36
NetScaler ADC 12.1-NDcPP before 12.65.36

Recommendation

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.

NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Security Bulletin

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Resources & Related Articles

The CISA, FBI, MS-ISAC, and CCCS have released a joint cybersecurity advisory regarding cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. These attacks are exploiting a critical remote code execution (RCE) vulnerability, tracked as CVE-2022-31199 (CVSSv3 score: 9.8 – Critical), in the Netwrix Auditor software to deliver Truebot. Threat actors are leveraging this flaw to gain initial access and move laterally within the compromised network.

Truebot is a botnet that is linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022. Previous malware variants of Truebot were primarily delivered by cyber threat actors via malicious phishing email attachments. However, recent versions allow them to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment. Based on the nature of observed Truebot operations, the main goal of the adversaries is to steal sensitive information from compromised systems for financial gain.

The malware has also been used alongside other malware in attacks. In several incidents, shortly after Truebot was executed, the Cobalt Strike tool was deployed for persistence and data exfiltration purposes. In addition, some phishing campaigns consisted of the FlawedGrace RAT being deployed only minutes after the Truebot malware was executed. Researchers have also found Truebot attacks leveraging a custom data exfiltration tool called “Teleport” that was used to steal information.

When an organization is infected with Truebot, it can quickly escalate to become a bigger infection, similarly to how ransomware spreads throughout a network. The change in delivery vector shows that attacks leveraging the malware are continuing to evolve.

CVE-2022-3199 Delivery Method for Truebot

SecurIT360 SOC Managed Services    

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:   

MDR Services   

We utilize several threat feeds that are updated frequently on a daily basis. 
In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.

EDR Services   

In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.

Indicators are provided in the Indicators of Compromise section below for your reference.  

As always, if we detect activity related to these exploits, we will alert you when applicable.   

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.    

Mitigations

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.
CISA has posted guidelines and recommends organizations to mandate MFA for all staff and services.

MITRE Summary

Technique Title	ID	Use
Initial Access
Replication Through Removable Media	T1091	Cyber threat actors use removable media drives to deploy Raspberry Robin malware.
Drive-by Compromise	T1189	Cyber threat actors embed malicious links or attachments within web domains to gain initial access.
Exploit Public-Facing Application	T1190	Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution.
Phishing	T1566.002	Truebot actors can send spear phishing links to gain initial access.
Execution
Command and Scripting Interpreter	T1059	Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network. Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools.
Shared Modules	T1129	Cyber threat actors can deploy malicious payloads through obfuscated share modules.
User Execution: Malicious Link	T1204.001	Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update.
Persistence
Hijack Execution Flow: DLL Side-Loading	T1574.002	Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence.
Privilege Escalation
Boot or Logon Autostart Execution: Print Processors	T1547.012	FlawedGrace malware manipulates print spooler functions to achieve privilege escalation.
Defense Evasion
Obfuscated Files or Information	T1027	Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID.
Obfuscated Files or Information: Binary Padding	T1027.001	Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols.
Masquerading: Masquerade File Type	T1036.008	Cyber threat actors hide Truebot malware as legitimate appearing file formats.
Process Injection	T1055	Truebot malware has the ability to load shell code after establishing a C2 connection.
Indicator Removal: File Deletion	T1070.004	Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection. Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station.
Modify Registry	T1112	FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que.
Reflective Code Loading	T1620	Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network.
Credential Access
OS Credential Dumping: LSASS Memory	T1003.001	Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping.
Discovery
System Network Configuration Discovery	T1016	Truebot malware scans and enumerates the affected system’s domain names.
Process Discovery	T1057	Truebot malware enumerates all running processes on the local host.
System Information Discovery	T1082	Truebot malware scans and enumerates the OS version information, and processor architecture. Truebot malware enumerates the affected system’s computer names.
System Time Discovery	T1124	Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks.
Software Discovery: Security Software Discovery	T1518.001	Truebot has the ability to discover software security protocols, which aids in defense evasion.
Debugger Evasion	T1622	Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses.
Lateral Movement
Exploitation of Remote Services	T1210	Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network.
Use Alternate Authentication Material: Pass the Hash	T1550.002	Cyber threat actors use cobalt strike to authenticate valid accounts
Remote Service Session Hijacking	T1563.001	Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.
Remote Service Session Hijacking: RDP Hijacking	T1563.002	Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.
Lateral Tool Transfer	T1570	Cyber threat actors deploy additional payloads to transfer toolsets and move laterally.
Collection
Data from Local System	T1005	Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives.
Screen Capture	T1113	Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string. Truebot gathers and compiles compromised system’s host and domain names.
Command and Control
Application Layer Protocol	T1071	Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic.
Non-Application Protocol	T1095	Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol.
Ingress Transfer Tool	T1105	Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections.
Encrypted Channel: Asymmetric Cryptography	T1573.002	Cyber threat actors use Teleport to create an encrypted channel using AES.
Exfiltration
Scheduled Transfer	T1029	Teleport limits the data it collects and syncs with outbound organizational data/network traffic.
Data Transfer Size Limits	T1030	Teleport limits the data it collects and syncs with outbound organizational data/network traffic.
Exfiltration Over C2 Channel	T1048	Cyber threat actors blend exfiltrated data with network traffic to evade detection. Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol.

Indicators of Compromise

AA23-187A Truebot IOCs

Resources & Related Articles

Our Offices

Industries

Company

Help