Active Cyberattacks Exploit Unprotected Citrix NetScaler Gateways

October 13, 2023

IBM's X-Force team has discovered that cybercriminals are actively exploiting a recent vulnerability, CVE-2023-3519, in the Citrix NetScaler Gateway. This vulnerability is a code injection that could lead to unauthorized remote code execution. The exploitation is successful when the device is configured as a gateway or an AAA virtual server.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about ongoing cyberattacks that are targeting Citrix NetScaler Application Delivery Controllers (ADC) and gateway devices. The attackers are exploiting the zero-day CVE-2023-3519 vulnerability and deploying Web shells onto the vulnerable systems.

The Shadowserver Foundation, a non-profit organization, reported in early August that hundreds of Citrix Netscaler ADC and gateway servers have been compromised in persistent attack campaigns. The attackers have exploited critical Remote Code Execution (RCE) vulnerabilities.

The attackers are using the vulnerability to inject malicious Javascript into the device’s login page. This script loads an additional remote JavaScript file that harvests username and password details and sends them to a remote server during the authentication process.

The attack begins with the threat actors sending a Web request that triggers the CVE-2023-3519 flaw. Afterward, they retrieve the contents of the device's configuration file and append custom HTML code to the login page, referencing a remote JavaScript file hosted on their infrastructure.

The JavaScript code attached to the login page retrieves and executes additional JavaScript, adding custom functions to the authentication page’s “Log_On” button. This malicious code can harvest data within the authentication form and send it to a remote host.

X-Force researchers identified several domain names used in the campaign, registered in early August. The researchers also identified nearly 600 unique victim IP addresses hosting modified NetScaler Gateway login pages, with the majority of victims located in the United States and Europe.

The first modification of the NetScaler Gateway login page was detected on August 11, 2023, suggesting the start of this campaign. On October 10, security researcher Germán Fernández revealed that hundreds of Citrix VPN instances exploited via CVE-2023-3519 are harvesting corporate credentials in cleartext.

While the researchers could not link this activity to any known threat group, they were able to extract Indicators of Compromise (IoCs) from the campaign.

Related News

• Critical Vulnerability Detected in Citrix NetScaler Devices Could Expose Sensitive Information
• Large-Scale Credential Theft Campaign Targets Citrix NetScaler Gateways
• FIN8 Ransomware Group Targets Unpatched Citrix NetScaler Devices
• Massive Hacking Campaign Targets Nearly 2,000 Citrix NetScaler Servers
• Mandiant Rolls Out Scanner to Detect Compromised Citrix Devices

Latest News

• Unpatched WS_FTP Servers Now a Target for Ransomware Attacks
• SEC Probes Progress Software Over MOVEit Ransomware Attack
• High-Severity curl Vulnerability Not as Threatening as Initially Feared
• Critical cURL Flaw Exposes Enterprise Systems to Potential Attacks
• CISA Identifies Five Newly Exploited Vulnerabilities in Popular Software