Large-Scale Credential Theft Campaign Targets Citrix NetScaler Gateways

October 9, 2023

Cybercriminals are leveraging a significant flaw, CVE-2023-3519, in Citrix NetScaler Gateways to carry out a large-scale campaign aimed at stealing user credentials. The vulnerability, an unauthenticated remote code execution bug, was first identified as a zero-day in July, affecting Citrix NetScaler ADC and NetScaler Gateway. By mid-August, the flaw had been exploited to compromise at least 2,000 Citrix servers.

IBM's X-Force, which first identified the credential-stealing campaign, reports that despite numerous warnings to update Citrix devices, the attack surface remains substantial. Hackers began exploiting CVE-2023-3519 in September to inject JavaScript that collects login credentials. The campaign was discovered during an investigation into a client case involving slow authentications on their NetScaler device.

The attackers used the CVE-2023-3519 vulnerability to inject a malicious JavaScript script into the index.html login page of a Citrix NetScaler device. The attack starts with a web request that exploits vulnerable NetScaler devices to write a straightforward PHP web shell on '/netscaler/ns_gui/vpn.' This web shell provides the attackers with direct, real-time access to the compromised endpoint, which they use to collect configuration data from the 'ns.conf' file.

Subsequently, the attackers append custom HTML code to the 'index.html' file. This code references a remote JavaScript file, which fetches and executes additional JS code designed for credential collection. The final JS snippet adds a custom function to the 'Log On' button on the VPN authentication page, enabling the collection of user credentials. These credentials are then sent to the attackers via an HTTP POST request.

The threat actors registered several domains for this campaign, including jscloud[.]ink, jscloud[.]live, jscloud[.]biz, jscdn[.]biz, and cloudjs[.]live. X-Force identified nearly 600 unique IP addresses for NetScaler devices whose login pages had been modified for the credential-stealing operation. The majority of victims are located in the United States and Europe, but compromised systems are found globally.

The campaign, based on the timestamps retrieved, has been active since August 11, 2023. IBM's analysts could not attribute this activity to any known threat group or clusters. However, they identified a new artifact from the attack that could assist defenders in early detection. This artifact can be found in the NetScaler application crash logs associated with the NetScaler Packet Processing Engine (NSPPE), located in '/var/core//NSPPE*.'

'X-Force observed that the NSPPE crash file timestamps aligned with the filesystem timestamps of the PHP web shells created through exploitation,' the report states. 'In other instances, X-Force was able to recover commands being passed to the web shells as part of post-exploitation activities.' The crash files are stored in '.gz' archives that require extraction before analysis, while their string data contents also need to be converted to readable form using tools like PowerShell. System administrators are advised to follow the remediation and detection guidance provided by CISA.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.