Federal authorities and security researchers are urging organizations to protect their network environments after hackers compromised a critical infrastructure provider by exploiting a zero-day vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway.
Hackers were able to steal data from the critical infrastructure provider’s Active Directory in June after dropping a webshell into the organization’s non-production environment NetScaler ADC appliance, the Cybersecurity and Infrastructure Security Agency said last week.
The hackers attempted to move to the organization’s domain controller, but were blocked due to network segmentation controls.
Mandiant researchers said they are investigating cases where application delivery controller appliances were fully patched at the time.
"At the time of the initial compromise, the affected appliances had the latest patches installed,” a Mandiant spokesperson said. “Citrix had not published the zero-day patch, yet, and thus the appliances were vulnerable to this particular attack."
Citrix entered a deal in January 2022 to be acquired by affiliates of Vista Equity Partners and Evergreen Coast Capital for $16.5 billion. Citrix ADC and Citrix Gateway are now called Netscaler ADC and Netscaler Gateway.
ADCs, mainly used in the IT space, are considered a key component of enterprise and cloud data centers to ensure continuous improvement and to make sure applications are available, secure and optimally performing, according to Mandiant.
At the time Mandiant was writing the blog, which was released Friday, there was no public proof of concept available.
While Mandiant does not have enough information to provide direct attribution, the activities are consistent with prior China-nexus activities, the company said.
Citrix released security updates on Tuesday and urged all affected organizations to patch their systems.
Bishop Fox researchers said there are about 61,000 affected appliances exposed to the internet and about 53% remain unpatched.