Threat Advisory: Citrix ADC/Netscaler Breach Activity

May 19, 2020

Herjavec Group has been investigating a spike in Citrix ADC/NetScaler breaches as a result of recently published zero-day exploits for CVE-2019-19781 affecting Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, Citrix Gateway, and NetScaler Gateway.

The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).  Further investigation by Citrix has shown that this issue also affects certain deployments of Citrix SD-WAN, specifically Citrix SD-WAN WANOP edition. Citrix SD-WAN WANOP edition packages Citrix ADC as a load balancer thus resulting in the affected status.

Compounding this increasing threat is the publishing of a zero-day exploit by Project Zero India on Github as recently as four months ago, which multiple actors seem to be using, identified by similar indicators of compromise (IoCs). News surrounding the internet-wide scanning and resulting breaches of NetScalers across different sectors have begun to surface on social media and news sites.

Herjavec Group’s Security Operations Center is currently on high alert, and we are monitoring any events impacting our Managed Security Services customers, using NetScaler in their environments, closely.

The following mitigation recommendations should be followed:

• All enterprises should ensure their patch and vulnerability management programs include their NetScalers.
• Since mass scanning for vulnerable NetScalers on the Internet is being detected, HG urges enterprises to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments.
• Enterprises who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. Detailed mitigation steps can be found at here.

Please note that the tool made available by Citrix does not confirm if the NetScaler had been previously compromised before it was applied. Therefore steps should be taken to determine if this is the case.

Indicators include:

• Outbound traffic to known TOR nodes originating from the NetScalers
• Running processes on the NetScalers by user ‘nobody’
• Unauthorized changes to the /etc/crontab that adds the execution of scripts to monitor and clear the /var/log directory
• Traffic associated with GO RATs (particularly NOTROBIN (remote access tools) and/or cryptocurrency miners running on the NetScalers (Particularly Monero coin miner)
• XML files created in the /netscaler/portal/templates directory
• Exploits found in /netscaler/portal/scripts/
• Files or directories created in /var/nsstmp/.nscache/

HG will continue to monitor this evolving situation and reach out with new IoCs as they are identified.

For existing MSS customers, HG can assist in proactively implementing the mitigation strategies suggested. 

If you believe your Citrix environment has been impacted by this vulnerability, Herjavec Group's Threat Management & Incident Response team is available for further support and consultation. If you need Incident Response support or Security Expertise, please connect with us.

Herjavec Group continues to track COVID-19 related cyberattacks. We have a complete resource center tracking COVID-19 related threats, malware types, as well as a summary of IOCs and domains specific to COVID-19. Review it here.