Latest Citrix Virtual Apps and Desktops 7 Advanced Administration Braindumps with Actual Questions

Hundreds of Citrix Endpoints Compromised With Webshells

Around 600 global Citrix servers have been compromised by a zero-day exploit enabling webshells to be installed, according to a non-profit tracking the ongoing campaign.

The Shadowserver Foundation tweeted on 2 August that the number of impacted endpoints stood at 581, but the figure is thought to be just the tip of the iceberg.

The biggest number of impacted IPs are based in Germany, followed by France and Switzerland.

As reported by Infosecurity last week, the malicious campaign exploits zero-day vulnerability CVE-2023-3519 to compromise NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway servers.

Subscribe to the Infosecurity Magazine newsletter here. 

The unauthenticated remote code execution vulnerability was patched by Citrix on July 15 and has a CVSS score of 9.8.

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned at the time. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

At the time, Citrix also patched two other vulnerabilities: reflected cross-site scripting bug CVE-2023-3466, and CVE-2023-3467, which enables privilege escalation to root administrator.

The Shadowserver Foundation, which monitors malicious internet activity across the globe, alerted Citrix users to the campaign last week. It warned that over 15,000 NetScaler ADC and NetScaler Gateway servers were at risk of compromise, with the biggest number based in the US, followed by Germany, the UK and Australia.

Read more on Citrix vulnerabilities: Citrix Admins Urged to Act as PoC Exploits Surface

The zero-day was originally exploited to drop webshells onto an unnamed US critical infrastructure organization’s non-production environment, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data,” it continued. “The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement.”

That attack happened back in June 2023.

Editorial image credit: Ken Wolter / Shutterstock.com

Anonymous Sources

Transparency is critical to our credibility with the public and our subscribers. Whenever possible, we pursue information on the record. When a newsmaker insists on background or off-the-record ground rules, we must adhere to a strict set of guidelines, enforced by AP news managers.

 Under AP's rules, material from anonymous sources may be used only if:

 1. The material is information and not opinion or speculation, and is vital to the report.

 2. The information is not available except under the conditions of anonymity imposed by the source.

 3. The source is reliable, and in a position to have direct knowledge of the information.

 Reporters who intend to use material from anonymous sources must get approval from their news manager before sending the story to the desk. The manager is responsible for vetting the material and making sure it meets AP guidelines. The manager must know the identity of the source, and is obligated, like the reporter, to keep the source's identity confidential. Only after they are assured that the source material has been vetted by a manager should editors and producers allow it to be used.

 Reporters should proceed with interviews on the assumption they are on the record. If the source wants to set conditions, these should be negotiated at the start of the interview. At the end of the interview, the reporter should try once again to move onto the record some or all of the information that was given on a background basis.

 The AP routinely seeks and requires more than one source when sourcing is anonymous. Stories should be held while attempts are made to reach additional sources for confirmation or elaboration. In rare cases, one source will be sufficient – when material comes from an authoritative figure who provides information so detailed that there is no question of its accuracy.

 We must explain in the story why the source requested anonymity. And, when it’s relevant, we must describe the source's motive for disclosing the information. If the story hinges on documents, as opposed to interviews, the reporter must describe how the documents were obtained, at least to the extent possible.

The story also must provide attribution that establishes the source's credibility; simply quoting "a source" is not allowed. We should be as descriptive as possible: "according to top White House aides" or "a senior official in the British Foreign Office." The description of a source must never be altered without consulting the reporter.

 We must not say that a person declined comment when that person the person is already quoted anonymously. And we should not attribute information to anonymous sources when it is obvious or well known. We should just state the information as fact.

Stories that use anonymous sources must carry a reporter's byline. If a reporter other than the bylined staffer contributes anonymous material to a story, that reporter should be given credit as a contributor to the story.

 All complaints and questions about the authenticity or veracity of anonymous material – from inside or outside the AP – must be promptly brought to the news manager's attention.

 Not everyone understands “off the record” or “on background” to mean the same things. Before any interview in which any degree of anonymity is expected, there should be a discussion in which the ground rules are set explicitly.

These are the AP’s definitions:

On the record. The information can be used with no caveats, quoting the source by name.

Off the record. The information cannot be used for publication. Background. The information can be published but only under conditions negotiated with the source. Generally, the sources do not want their names published but will agree to a description of their position. AP reporters should object vigorously when a source wants to brief a group of reporters on background and try to persuade the source to put the briefing on the record.

Deep background. The information can be used but without attribution. The source does not want to be identified in any way, even on condition of anonymity.

In general, information obtained under any of these circumstances can be pursued with other sources to be placed on the record.

ANONYMOUS SOURCES IN MATERIAL FROM OTHER NEWS SOURCES

Reports from other news organizations based on anonymous sources require the most careful scrutiny when we consider them for our report.

AP's basic rules for anonymous source material apply to material from other news outlets just as they do in our own reporting: The material must be factual and obtainable no other way. The story must be truly significant and newsworthy. Use of anonymous material must be authorized by a manager. The story we produce must be balanced, and comment must be sought.

Further, before picking up such a story we must make a bona fide effort to get it on the record, or, at a minimum, confirm it through our own reporting. We shouldn't hesitate to hold the story if we have any doubts. If another outlet’s anonymous material is ultimately used, it must be attributed to the originating news organization and note its description of the source.

ATTRIBUTION

 Anything in the AP news report that could reasonably be disputed should be attributed. We should give the full name of a source and as much information as needed to identify the source and explain why the person s credible. Where appropriate, include a source's age; title; name of company, organization or government department; and hometown. If we quote someone from a written document – a report, email or news release -- we should say so. Information taken from the internet must be vetted according to our standards of accuracy and attributed to the original source. File, library or archive photos, audio or videos must be identified as such. For lengthy stories, attribution can be contained in an extended editor's note detailing interviews, research and methodology.

Citrix NetScaler users told to patch new zero-day urgently

A zero-day vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway appears to be being exploited by an unspecified advanced persistent threat (APT) actor backed by the Chinese government and should be patched immediately.

Per Citrix’s initial advisory released on Tuesday 18 July, the three vulnerabilities patched by Citrix affect multiple versions of the NetScaler ADC (previously Citrix ADC) and NetScaler Gateway (previously Citrix Gateway) lines.

They are tracked as CVE-2023-3466, a reflected cross-site scripting flaw; CVE-2023-3467, a privilege escalation vulnerability; and CVE-2023-3519, an unauthenticated remote code execution (RCE) bug.

Of these, the issue of concern is the RCE vulnerability, CVE-2023-3519, which carries a CVSS score of 9.8, and it is this bug that was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) list on 20 July.

The addition of a vulnerability to the KEV list mandates that US government bodies must address it by a set date. It carries no weight beyond this, but inclusion on this list is a sure sign that attention should be paid by all organisations.

According to the CISA, the threat actor exploited CVE-2023-3519 to drop a webshell on a non-production environment NetScaler ADC appliance owned by an operator of critical national infrastructure (CNI).

The RCE vulnerability, CVE-2023-3519, carries a CVSS score of 9.8 and was added to the US CISA’s Known Exploited Vulnerabilities list on 20 July. Inclusion on this list is a sure sign that attention should be paid by all organisations

Using this webshell, the actor then attempted to perform discovery actions on the victim’s active directory (AD) and exfiltrate data from it. They then tried to move laterally to a domain controller, but were thwarted in this instance when the appliance’s network-segmentation controls kicked in.

In this instance, the victim organisation was able to swiftly identify the compromise and duly reported the incident to both CISA and Citrix.

Assessing the impact of CVE-2023-3519, researchers at Mandiant, which played a key role in the initial investigation, said that because ADC devices are predominantly used in the IT sector and form a vital component of enterprise cloud datacentres, when it comes to ensuring the optimal delivery of enterprise applications, they present a tempting target.

However, wrote the analyst team, comprising James Nugent, Foti Castelan, Doug Bienstock, Justin Moore and Josh Murchie, Chinese threat actors often target devices that sit at the edge of the network because they can be harder to monitor, and very often don’t support intrusion detection solutions.

“Mandiant cannot attribute this activity based on the evidence collected thus far,” the team wrote. “However, this type of activity is consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADCs in 2022.

“The evolution of the China-nexus cyber threat landscape has evolved to such an extent that its ecosystem mirrors more closely that of financial crime clusters, with connections and code overlap not necessarily offering the comprehensive picture.”

Beyond applying the patch, Mandiant is additionally recommending that if any affected appliances are found to have been exploited, they should be rebuilt immediately. This upgrade process will overwrite some, but not all, of the directories where threat actors may drop webshells.

Security teams may also wish to re-evaluate whether or not their ADC or Gateway appliances’ management ports need unrestricted internet access, and limit access to only necessary IP addresses, which would make post-exploitation activities harder going forward.

Based on some of the other tactics, techniques and procedures (TTPs) outlined in Mandiant’s write-up, the research team is also recommending that affected organisations rotate all secrets stored in the configuration file, and any private keys or certificates useable for transport layer security (TLS) connections.

They may also wish to harden susceptible accounts in the domain to protect against credential exposure and limit a threat actor’s ability to obtain credentials for lateral movement.