Detecting Compromises of NetScaler (Citrix) ADC and Gateway with NetFlow
By Netography Team
Last week we learned about in-the-wild attack activity targeting a previously undisclosed remote code execution vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway (CVE-2023-3519).
Everyone who uses the affected products is interested in assessing whether or not their organization was targeted. As is often the case, we don’t know exactly how long threat actors have been aware of this vulnerability, although attacks have been happening since at least June.
NetFlow can be a powerful tool for answering these kinds of questions because it allows us to rewind the clock and look for records of suspicious network activity associated with hosts that may have been compromised in the past. Even when these searches come up empty, they can provide peace of mind.
There have been several bulletins published by organizations who have investigated these incidents with details of the behaviors that were engaged in once these systems were compromised. These behaviors are relatively easy to identify in NetFlow.
The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) published this advisory, which describes a number of network behaviors to look for.
As part of their initial exploit chain, the threat actors… conducted SMB scanning on the subnet…
The actors attempted to:
Execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets.
Verified outbound network connectivity with a ping command (ping -c 1 google.com).
An analysis from Mandiant adds some valuable additional context (emphasis ours):
Mandiant observed authentication attempts by the threat actor sourced from NSIPs of impacted Netscalers both via Remote Desktop Protocol (RDP) logons and network logons to endpoints within the victim’s environment. Additional information recorded in these events may capture both hostnames and IP addresses belonging to attacker infrastructure to further pivot and hunt for in the environment. It is unexpected and suspicious to observe traffic to the internal network and miscellaneous (non-Citrix) Internet IP addresses from the NSIP of an appliance.
In Netography, there are NDM events that may have fired if this sort of activity was observed, including port_445_scanning_internal.
You can search for these events triggering against the NSIP address of a NetScaler using the event search tab with the following search syntax:
algorithm == port_445_scanning_internal && ipinfo.srcip == true && ipinfo.ip == [NSIP Address]
In addition, it is easy to search NetFlow records using a NSIP address to look for suspicious traffic.
For example, this search will surface ICMP traffic:
srcip == [NSIP Address] && protocol == icmp
This one will search for RDP:
srcip == [NSIP Address] && dstport == 3389
Public disclosure of attack activity “after the fact” is a fairly common occurrence these days. In fact, post-compromise detection is becoming a more and more critical part of what Martin Roesch calls the “threat continuum.”
Every security team should have a searchable record of network metadata that is comprehensive of both cloud and on-prem environments as part of their investigative toolkit. If your organization has gaps in its network visibility, please reach out to Netography and let us see what we can do to help.