Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, August 17, 2023, 9:57 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Citrix NetScaler ADC Exploitation - Almost 2,000 Machines Back-Doored

Back in mid-July, we brought you news of a Citrix security bulletin advising of patches for three significant vulnerabilities in the company's Netscaler application delivery controller. One of these, CVE-2023-3519, is a particularly nasty unauthenticated remote code execution vulnerability, with a CVSS score of 9.8 - clearly, something that should be addressed urgently.

Apparently, a large number of administrators didn't get the message, since security researchers at consulting firm Fox-IT (part of the NCC Group), working in conjunction with the Dutch Institute of Vulnerability Disclosure (DIVD), have discovered that found over 1800 Netscaler ADC's which have been backdoored. In some cases - 1,248 cases, to be precise - the CVE-2023-3519 patch had been installed, but only after an adversary had exploited the system and installed a web shell.

A campaign to exploit CVE-2023-3519 was already underway at the time that Citrix developed and released the patch, although the exact nature of the exploitation was not made public. However, a number of security firms started digging, and Mandiant released an informative blog post just a couple of days later, detailing their discovery of a small PHP web shell located in /var/vpn/themes, and just 113 bytes in size, which appeared to be a component of the initial exploitation. They also identified a number of malicious ELF binaries and a total of six different web shells on exploited Netscaler appliances.

Mandiant has also now published a scanning tool which uses a list of IOC's to identify Netscalers which have been compromised using CVE-2023-3519.

Meanwhile, Fox-IT and the DIVD had been doing similar work, and they now have released their findings. To quote their report:

Most apparent from our scanning results is the percentage of patched NetScalers that still contain a backdoor. At the time of writing, approximately 69% of the NetScalers that contain a backdoor are not vulnerable anymore to CVE-2023-3519. This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a non-vulnerable version, they have not been (properly) checked for signs of successful exploitation.

This illustrates a major problem with defensive patch management: by the time a patch is released, active exploitation may already be under way, especially if a patch is developed in response to reports of a 0-day attack, and it is entirely possible that admins may, in fact, be applying the patch to systems that have already been compromised. Even a short delay in patching increases the likelihood of this occurring, since once a patch is released, threat actors immediately set to work reverse-engineering it in order to develop their own exploits.

The lesson: patching is all very well, but it is also important to use other techniques, including monitoring and scanning for indicators of compromise, to ensure that systems have not been compromised.

Citrix, Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467, security bulletin, 18 July 2023. Available online at https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467.

Nugent, James et. al., Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519), blog post, 21 July 2023. Available online at https://www.mandiant.com/resources/blog/citrix-zero-day-espionage.

Mandiant, Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519), blog post, 14 August 2023. Available online at https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner.

Fox-IT, Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign, blog post, 15 August 2023. Available online at https://blog.fox-it.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/.

NIST Drops CSF 2.0 Exploration Tool

Only yesterday, we discussed the release of the draft 2.0 version of the NIST Cybersecurity Framework (CSF) and mentioned the impending release of a reference tool which would allow browsing, searching and export of the CSF core data in both human- and machine-readable formats. A later version of the tool will provide the informative references which link to Standards and other resources.

And, right on cue, here it is:

NIST, NIST Cybersecurity Framework (CSF) 2.0 Reference Tool, August 2023. Available online at https://csrc.nist.gov/Projects/cybersecurity-framework/Filters#/csf/filters.

Google Develops Post-Quantum Security Keys

We are strong proponents of the use of FIDO U2F security keys as the strongest variant of multi-factor authentication, and personally use them whenever possible. The only looming cloud on the horizon is the ever-more-likely possible development of an attack, using a quantum computer, on the public-key cryptographic algorithms the security keys use. Someone may already have achieved this - if they have, they certainly would not disclose it!

So we continually track developments in post-quantum cryptography (PQC) and the cryptographic agility which prepares us to switch to post-quantum algorithms when the time comes. Now Google has announced an important next step with their development and release of a quantum resilient FIDO2 security key implementation as part of OpenSK, their open source security key firmware.

This implementation is optimized for the tightly constrained hardware of a typical security key. Written in Rust, it requires only 20 KB of memory and performs acceptably, although hardware acceleration could speed it further. It uses a hybrid approach, combining the elliptic curve DSA (ECDSA) signature algorithm with the recently standardized Dilithium quantum resistant signature algorithm.

Burzstein, Elie and Fabian Kaczmarczyck, Toward Quantum Resilient Security Keys, blog post, 15 August 2023. Available online at https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.