Threat actors are currently exploiting critical vulnerabilities in Citrix NetScaler and WinRAR, posing a significant risk to a variety of targets, including government organizations.
In a recent report, researchers exposed ongoing exploitation of CVE-2023-4966 in Citrix’s NetScaler ADC and Gateway appliances. Simultaneously, Google’s TAG has identified government-affiliated hacking groups using CVE-2023-38831 to exploit WinRAR. These attackers have harnessed these vulnerabilities as zero-days, with the aim of commandeering NetScaler appliance sessions and deploying malicious code through WinRAR to compromise and infect targeted systems.
Zero-Day Vulnerabilities in Citrix NetScaler and WinRAR
The vulnerability impacts the following versions of NetScaler ADC and Gateway appliances:
- NetScaler ADC and NetScaler Gateway 14.1 up to version 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 up to version 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 up to version 13.0-92.19
- NetScaler ADC 13.1-FIPS up to version 13.1-37.164
- NetScaler ADC 12.1-FIPS up to version 12.1-55.300
- NetScaler ADC 12.1-NDcPP up to version 12.1-55.300
Citrix has underlined that NetScaler ADC and NetScaler Gateway version 12.1 have reached their End-of-Life (EoL) status and are also susceptible to this critical security issue. However, customers utilizing Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected by this vulnerability.
How Critical Are the Vulnerabilities?
The initial vulnerability carries a CVSS score of 9.4 (7.5 on NVD) and has been actively exploited as a zero-day issue in the wild. The second vulnerability is also highly severe, with a CVSS score of 8.2.
To successfully exploit these vulnerabilities, a specific condition must be met: the impacted appliances need to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), or AAA virtual server.
Citrix’s updated advisory highlights the observation of exploits targeting unmitigated appliances affected by CVE-2023-4966. This underscores the critical need for Citrix customers to promptly apply the required patches to address these vulnerabilities.
Mandiant researchers have identified active zero-day exploitation of CVE-2023-4967 occurring since late August 2023. Notably, this campaign has specifically targeted organizations in the professional services and technology sectors, as well as government entities.
Upon successful exploitation, attackers gain the ability to seize authenticated sessions, effectively circumventing Multi-Factor Authentication (MFA) and other strong authentication safeguards. Importantly, it should be emphasized that sessions compromised by an attacker could continue to persist even after applying the patch intended to rectify CVE-2023-4966.
Additionally, Mandiant’s findings reveal that in certain observed cases, threat actors managed to exfiltrate session data before the patch was deployed and subsequently utilized it to their advantage.
How to Protect NetScaler ADC and Gateway Appliances Against CVE-2023-4966?
Customers using NetScaler ADC and Gateway are strongly urged to promptly install the applicable updated versions to safeguard against potential exploitation. This includes:
- NetScaler ADC and NetScaler Gateway versions 14.1-8.50 and subsequent releases.
- NetScaler ADC and NetScaler Gateway versions 13.1-49.15 and subsequent releases within the 13.1 series.
- NetScaler ADC and NetScaler Gateway versions 13.0-92.19 and subsequent releases within the 13.0 series.
- NetScaler ADC 13.1-FIPS versions 13.1-37.164 and subsequent releases of 13.1-FIPS.
- NetScaler ADC 12.1-FIPS versions 12.1-55.300 and subsequent releases of 12.1-FIPS.
- NetScaler ADC 12.1-NDcPP versions 12.1-55.300 and subsequent releases of 12.1-NDcPP.
While patching is the most effective approach, Mandiant has provided a document detailing alternative measures that can be implemented if an immediate update is not feasible:
- Implement ingress IP address restrictions on vulnerable appliances to reduce exposure by allowing access only from trusted or predefined source IP address ranges.
- After upgrading, terminate all active and persistent sessions per appliance. Utilize the Command-Line Interface (CLI), connect to your appliance, and execute the following command:
clear lb persistentSessions <vServer>
- Consider rotating credentials for identities accessing resources through a vulnerable NetScaler ADC or Gateway appliance. In case of suspicious activity or lateral movement, prioritize credential rotation for a wider range of identities.
- If web shells or backdoors are discovered on NetScaler appliances, rebuild them using a clean-source image with the latest firmware. If restoring from a backup image is necessary, thoroughly review the backup configuration to ensure there are no hidden backdoors.
Campaigns Exploiting CVE-2023-38831 in WinRAR
According to Google TAG’s report, threat actors have harnessed this vulnerability in numerous campaigns directed at a range of organizations:
In a recent campaign, the threat group FROZENBARENTS (also known as SANDWORM), affiliated with the Russian GRU, assumed the identity of a Ukrainian drone warfare training school. They employed an email lure to distribute a seemingly harmless PDF document alongside a malicious ZIP file that exploited CVE-2023-38831. The payload was a Rhadamanthys infostealer, a commercially available tool, which Google noted as an atypical choice for this group.
In a separate incident, FROZENLAKE (also referred to as APT28), also linked to the Russian GRU, directed their efforts toward Ukrainian government organizations in a spear-phishing campaign exploiting CVE-2023-38831. They utilized a free hosting provider to disseminate the exploit, redirecting users to a mockbin site for location verification before delivering the malicious file. The decoy document took the form of an event invitation from the Razumkov Centre, a Ukrainian think tank.
Notably, FROZENLAKE introduced a novel technique into their toolkit by using an exploit file named “IOC_09_11.rar” to create a reverse SSH shell and execute an IRONJAW script through PowerShell. IRONJAW is designed to pilfer browser login data and local state directories, transmitting them to a command and control server.
In a different context, the group ISLANDDREAMS (also known as APT40), linked to China, leveraged CVE-2023-38831 in a campaign targeting Papua New Guinea. Their phishing emails included a Dropbox link to a ZIP archive housing the exploit, a password-protected decoy PDF, and an LNK file.