Cybercriminals are leveraging a significant flaw, CVE-2023-3519, in Citrix NetScaler Gateways to carry out a large-scale campaign aimed at stealing user credentials. The vulnerability, an unauthenticated remote code execution bug, was first identified as a zero-day in July, affecting Citrix NetScaler ADC and NetScaler Gateway. By mid-August, the flaw had been exploited to compromise at least 2,000 Citrix servers.
The threat actors registered several domains for this campaign, including jscloud[.]ink, jscloud[.]live, jscloud[.]biz, jscdn[.]biz, and cloudjs[.]live. X-Force identified nearly 600 unique IP addresses for NetScaler devices whose login pages had been modified for the credential-stealing operation. The majority of victims are located in the United States and Europe, but compromised systems are found globally.
The campaign, based on the timestamps retrieved, has been active since August 11, 2023. IBM's analysts could not attribute this activity to any known threat group or clusters. However, they identified a new artifact from the attack that could assist defenders in early detection. This artifact can be found in the NetScaler application crash logs associated with the NetScaler Packet Processing Engine (NSPPE), located in '/var/core//NSPPE*.'
'X-Force observed that the NSPPE crash file timestamps aligned with the filesystem timestamps of the PHP web shells created through exploitation,' the report states. 'In other instances, X-Force was able to recover commands being passed to the web shells as part of post-exploitation activities.' The crash files are stored in '.gz' archives that require extraction before analysis, while their string data contents also need to be converted to readable form using tools like PowerShell. System administrators are advised to follow the remediation and detection guidance provided by CISA.