On 16 August 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) added critical Citrix vulnerability (CVE-2023-24489) to its catalog of known security flaws exploited in the wild and warned that it was being targeted by unknown actors.
The vulnerability, first discovered by researchers in June 2023, is a cryptographic bug that allows unauthenticated attackers to upload files and remotely compromise Citrix customer-managed ShareFile storage zones controllers.
In this article we provide an overview of the vulnerability, remediation advice and steps to take if you uncover malicious activity on your affected Citrix products.
Background
Since the CISA announcement, researchers have observed a significant spike in attacker activity related to CVE-2023-24489 from several countries including Finland, the UK, the US and South Korea, with most of the activity originating from the latter country. Additionally, proof-of-concepts for exploiting the vulnerability have been published online since July 2023. It is therefore highly likely that CVE-2023-24489 will be exploited imminently by a wider range of nation-state and financially motivated cybercriminals. The potential impact is significant due to the widespread usage of Citrix’s cloud-based file-sharing application by the public and private sector, combined with the fact that managed file transfers (MFT) have been heavily exploited by threat actors to deploy ransomware and/or exfiltrate data.
The CISA development comes as researchers also discovered widespread attacks targeting critical Citrix vulnerability, CVE-2023-3519, which allows criminals to infiltrate and compromise vulnerable NetScalers, even after patches and reboots.
Remediation
We urgently advise all organisations that may be impacted by the CVE-2023-24489 vulnerability to apply the following remediation:
- Upgrade to the latest version of the Citrix ShareFile Storage Zones Controller
- Review systems for evidence of exploit of CVE-2023-24489
- Shut down any machine that was running an affected version of the storage zones controller software
- Apply Citrix recommendations for the vulnerability
If evidence of compromise is identified, we would recommend an immediate investigation into the scope of the malicious activity to ensure any potential threat actors with access to the network are removed.
Affected Citrix products
This vulnerability affects all currently supported versions of customer-managed Citrix ShareFile storage zones controllers before version 5.11.24.
Indicators of compromise
At this stage, there are limited IOCs available, however, according to the analysis of the available proof of concepts and from other researchers, the following items are the potential IOCs for this exploit:
- Unusual files being uploaded via the /documentum/upload.aspx page for e.g., POST/documentum/upload.aspx?parentid=QUFBQUFBQUFBQUFBQUFBi0FBQUFBQUFBQUFBQUFBQUE%3D&raw=1&unzip=on&uploadid=x\..\..\..\cifs&filename=x.aspx
- Attempted/successful logins from malicious IPs from countries including South Korea, Finland and the US
If malicious activity is identified
- Trigger your incident response plan
- Engage an expert cyber incident response firm
- Preserve evidence
- Implement a containment plan to limit the threat actor’s access inside the network
- Implement a threat hunting and eradication plan to remove the threat actor from the network
- Conduct forensics across impacted devices to identify potential data exfiltration
Please contact S-RM if you are concerned about your organisation's exposure to the Citrix vulnerability.