Citrix Devices Under Attack: NetScaler Flaw Exploited to Capture User Credentials
10.10.23 Exploit The Hacker News
A recently disclosed critical flaw in Citrix NetScaler ADC and Gateway devices is being exploited by threat actors to conduct a credential harvesting campaign.
IBM X-Force, which uncovered the activity last month, said adversaries exploited "CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials."
CVE-2023-3519 (CVSS score: 9.8), addressed by Citrix in July 2023, is a critical code injection vulnerability that could lead to unauthenticated remote code execution. Over the past few months, it has been heavily exploited to infiltrate vulnerable devices and gain persistent access for follow-on attacks.
In the latest attack chain discovered by IBM X-Force, the operators sent a specially crafted web request to trigger the exploitation of CVE-2023-3519 and deploy a PHP-based web shell.
The access afforded by the web shell is subsequently leveraged to append custom code to the NetScaler Gateway login page that references a remote JavaScript file hosted on attacker-controlled infrastructure.
The JavaScript code is designed to collect the form data containing the username and password information supplied by the user and transmit it to a remote server through an HTTP POST method upon authentication.
The company said it identified "at least 600 unique victim IP addresses hosting modified NetScaler Gateway login pages," a majority of them located in the U.S. and Europe. The attacks are said to be opportunistic in nature owing to the fact that the additions appear more than once.
It's not exactly clear when the campaign started, but the earliest login page modification is on August 11, 2023, indicating that it has been underway for nearly two months. It has not been attributed to any known threat actor or group.
The disclosure comes as Fortinet FortiGuard Labs uncovered an updated version of the IZ1H9 Mirai-based DDoS campaign that makes use of a revised list of exploits targeting various flaws in IP cameras and routers from D-Link, Geutebrück, Korenix, Netis, Sunhillo SureLine, TP-Link, TOTOLINK, Yealink, and Zyxel.
"This highlights the campaign's capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs," security researcher Cara Lin said.
Successful exploitation of the vulnerabilities paves the way for the deployment of a shell script downloader that's used to retrieve the IZ1H9 payload, turning the compromised Linux machines into remote-controlled bots for large-scale brute-force and DDoS attacks.
"To counter this threat, it is strongly recommended that organizations promptly apply patches when available and always change default login credentials for devices," Lin said.
The development also coincides with a new unpatched remote command injection flaw impacting D-Link DAP-X1860 range extender (CVE-2023-45208) that could be used by threat actors to run shell commands during the setup process by creating a Wi-Fi network with a crafted SSID containing the apostrophe symbol, according to RedTeam Pentesting.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an advisory released last month, underscored the risk of volumetric DDoS attacks against websites and related web services, urging organizations to implement appropriate mitigations to reduce the threat.
"These attacks target specific websites with the goal of exhausting the target system's resources, rendering the target unreachable or inaccessible, and denying users access to the service," it said.