Hackers Exploiting Citrix NetScaler Vulnerability to Steal User Credentials
Threat actors were attacking unpatched NetScaler Gateways using the vulnerability classified as CVE-2023-3519 to inject malicious script into the HTML of the authentication web page and steal user credentials.
With a CVSS score of 9.8, CVE-2023-3519 is a critical vulnerability that affects NetScaler ADC and NetScaler Gateway, which allows Remote Code Execution.
With a focus on the US and Europe, X-Force identified over 600 distinct victim IP addresses hosting modified NetScaler Gateway login pages.
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Larger Credential Harvesting Campaign
Reports say a customer found the script after investigating complaints of delayed authentications on the NetScaler device.
The threat actor was leveraging CVE-2023-3519 to inject a PHP web shell, which lets them append custom HTML code to the legitimate ‘index.html’ file, causing the VPN authentication page to load a JavaScript file hosted on the attacker’s page.
The JavaScript code added to “index.html” makes it easier to harvest credentials by retrieving and executing additional JavaScript code that attaches a special function to the “Log_On” element and collects form data containing the username and password information upon authentication.
Researchers discovered many domains the threat actor created, including jscloud[.]ink, jscloud[.]live, jscloud[.]biz, jscdn[.]biz, and cloudjs[.]live.
Except for the command-and-control (C&C), the JavaScript files used in these attacks are almost similar. The credentials obtained have been transmitted to the same URL.
“The NetScaler Packet Processing Engine (NSPPE) crash files can contain evidence of exploiting the vulnerability. The crash files are located with “/var/core/<number>/NSPPE*,” researchers said.
NSPPE crash file timestamps were found to be aligned with the filesystem timestamps of PHP web shells established through exploitation.
CISA issued an advisory document with information on detection, incident response, mitigations, and testing security procedures in response to the widespread exploitation of CVE-2023-3519. It is advised that you follow the specified recommendations.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
