Active Cyberattacks Exploit Unprotected Citrix NetScaler Gateways

October 13, 2023

IBM's X-Force team has discovered that cybercriminals are actively exploiting a recent vulnerability, CVE-2023-3519, in the Citrix NetScaler Gateway. This vulnerability is a code injection that could lead to unauthorized remote code execution. The exploitation is successful when the device is configured as a gateway or an AAA virtual server.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about ongoing cyberattacks that are targeting Citrix NetScaler Application Delivery Controllers (ADC) and gateway devices. The attackers are exploiting the zero-day CVE-2023-3519 vulnerability and deploying Web shells onto the vulnerable systems.

The Shadowserver Foundation, a non-profit organization, reported in early August that hundreds of Citrix Netscaler ADC and gateway servers have been compromised in persistent attack campaigns. The attackers have exploited critical Remote Code Execution (RCE) vulnerabilities.

The attackers are using the vulnerability to inject malicious Javascript into the device’s login page. This script loads an additional remote JavaScript file that harvests username and password details and sends them to a remote server during the authentication process.

The attack begins with the threat actors sending a Web request that triggers the CVE-2023-3519 flaw. Afterward, they retrieve the contents of the device's configuration file and append custom HTML code to the login page, referencing a remote JavaScript file hosted on their infrastructure.

The JavaScript code attached to the login page retrieves and executes additional JavaScript, adding custom functions to the authentication page’s “Log_On” button. This malicious code can harvest data within the authentication form and send it to a remote host.

X-Force researchers identified several domain names used in the campaign, registered in early August. The researchers also identified nearly 600 unique victim IP addresses hosting modified NetScaler Gateway login pages, with the majority of victims located in the United States and Europe.

The first modification of the NetScaler Gateway login page was detected on August 11, 2023, suggesting the start of this campaign. On October 10, security researcher Germán Fernández revealed that hundreds of Citrix VPN instances exploited via CVE-2023-3519 are harvesting corporate credentials in cleartext.

While the researchers could not link this activity to any known threat group, they were able to extract Indicators of Compromise (IoCs) from the campaign.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.