<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.xcontentpasted1
{mso-style-name:x_contentpasted1;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">FYSA<o:p></o:p></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><o:p></o:p></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in">Today, the Cybersecurity and Infrastructure Security Agency (CISA)
published a </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:#0070C0;border:none windowtext 1.0pt;padding:0in"><a href="https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf">Cybersecurity
Advisory (CSA)</a></span><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in"> that warns all organizations about exploitation of a vulnerability (common exposures and
vulnerabilities (CVE)) affecting the NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in">In June 2023, threat actors exploited CVE-2023-3519, an unauthenticated
remote code execution vulnerability, as a zero day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate
AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement. </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in">This advisory provides tactics, techniques, and procedures (TTPs) and
victim-created detection guidance is provided to help network defenders check for signs of compromise. If no compromise is detected, organizations should immediately apply patches provided by Citrix. </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;border:none windowtext 1.0pt;padding:0in">All organizations are strongly urged to review the advisory, check
to determine if this activity is on their networks, conduct incident response if compromise is detected, and implement recommended mitigations. </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> <o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt;color:#0563C1">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_2" src="cid:image001.png@01D9BB22.C834DC90"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="xmsonormal" style="background:white"><o:p> </o:p></p>
<p class="xmsonormal" style="background:white"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>