IBM’s X-Force researchers reported that threat actors are conducting a large-scale credential harvesting campaign exploiting the recent CVE-2023-3519 vulnerability (CVSS score: 9.8) in Citrix NetScaler Gateways.
At the end of July, Citrix warned customers that the CVE-2023-3519 flaw in NetScaler Application Delivery Controller (ADC) and Gateway is being actively exploited in the wild.
The vulnerability is a code injection that could result in unauthenticated remote code execution. The company added that successful exploitation requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of cyber attacks against Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices exploiting the zero-day CVE-2023-3519. The Agency revealed that threat actors targeted a NetScaler ADC appliance deployed in the network of a critical infrastructure organization.
The U.S. CISA revealed that threat actors are exploiting the vulnerability to drop web shells on vulnerable systems.
In early August, security researchers from the non-profit organization Shadowserver Foundation reported that hundreds of Citrix Netscaler ADC and Gateway servers had been compromised as part of an ongoing campaign exploiting the critical remote code execution (RCE) vulnerability.
X-Force discovered the campaign while conducting an incident response activity for a client that had reported slow authentications on the NetScaler install. The attackers exploited the flaw to inject a malicious Javascript into the device “index.html” login page.
“The script which is appended to the legitimate “index.html” file loads an additional remote JavaScript file that attaches a function to the “Log On” element in the VPN authentication page that collects the username and password information and sends it to a remote server during authentication.” reads the report published by IBM X-Force.
The attack chain starts with the threat actors sending a web request to “/gwtest/formssso? event=start&target=” triggering the flaw CVE-2023-3519 to write a simple PHP web shell to /netscaler/ns_gui/vpn. Once the PHP web shell is deployed, the attacker retrieved the contents of the “ns.conf” file on the device. Then the attackers appended custom HTML code to “index.html” which references a remote JavaScript file hosted on attacker-controlled infrastructure.
The JavaScript code appended to “index.html” retrieves and executes additional JavaScript code that attaches a custom function to the “Log_On” button on the authentication page. The malicious code can collect data in the authentication form, including credentials, and sends it to a remote host through a HTTP POST method.
X-Force researchers identified multiple domains used as part of this campaign, the domains were registered on August 5th, 6th and 14th, and leveraging Cloudflare to mask where the domains were hosted.
The researchers identified the C2 infrastructure used by the threat actors, then they were able to identify almost 600 unique victim IP addresses hosting modified NetScaler Gateway login pages. Most of the victims are in the United States and Europe.
The analysis reveals that the NetScaler Gateway login pages were first modified on August 11, 2023, suggesting that this date might mark the commencement of the campaign.
The researchers were not able to link this campaign to any known threat group, however, they were able to extract indicators of compromise (IoCs) from this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Citrix NetScaler)