IBM's X-Force team has discovered that cybercriminals are actively exploiting a recent vulnerability, CVE-2023-3519, in the Citrix NetScaler Gateway. This vulnerability is a code injection that could lead to unauthorized remote code execution. The exploitation is successful when the device is configured as a gateway or an AAA virtual server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about ongoing cyberattacks that are targeting Citrix NetScaler Application Delivery Controllers (ADC) and gateway devices. The attackers are exploiting the zero-day CVE-2023-3519 vulnerability and deploying Web shells onto the vulnerable systems.
The Shadowserver Foundation, a non-profit organization, reported in early August that hundreds of Citrix Netscaler ADC and gateway servers have been compromised in persistent attack campaigns. The attackers have exploited critical Remote Code Execution (RCE) vulnerabilities.
X-Force researchers identified several domain names used in the campaign, registered in early August. The researchers also identified nearly 600 unique victim IP addresses hosting modified NetScaler Gateway login pages, with the majority of victims located in the United States and Europe.
The first modification of the NetScaler Gateway login page was detected on August 11, 2023, suggesting the start of this campaign. On October 10, security researcher Germán Fernández revealed that hundreds of Citrix VPN instances exploited via CVE-2023-3519 are harvesting corporate credentials in cleartext.
While the researchers could not link this activity to any known threat group, they were able to extract Indicators of Compromise (IoCs) from the campaign.