Cyber Attackers Exploit Citrix NetScaler Flaw to Steal User Credentials
A recent large-scale hacking campaign is taking advantage of a critical flaw in Citrix NetScaler Gateways, marked as CVE-2023-3519, to pilfer user credentials. This vulnerability, discovered as a zero-day in July, impacts Citrix NetScaler ADC and NetScaler Gateway, and has become a prime target for cybercriminals.
By early August, this flaw had already allowed unauthorized access to more than 640 Citrix servers, a number that had risen to 2,000 by mid-August. Despite warnings and advisories to update Citrix devices, the attack surface remains significant, and hackers began exploiting CVE-2023-3519 to insert JavaScript for credential harvesting in September.
The attackers behind this campaign have been quietly modifying the login pages of Citrix NetScaler devices to inject malicious credential-stealing JavaScript scripts. The attack unfolds with a web request targeting vulnerable NetScaler devices, allowing the hackers to create a web shell and gain direct access to the compromised endpoint. They then extract configuration data and append custom HTML code to the login page, which references a remote JavaScript file, subsequently collecting user credentials upon login.
This threat actor has registered several domains for their campaign, and the campaign has impacted nearly 600 unique IP addresses of NetScaler devices worldwide. While the majority of victims are located in the United States and Europe, compromised systems span the globe.
This campaign has been ongoing for two months, with an early modification of the login page detected on August 11, 2023. However, IBM X-Force, which uncovered this activity, was unable to attribute it to any known threat group or cluster. In response to this campaign, organizations are urged to apply patches and change default login credentials for their devices.
This revelation comes in conjunction with the discovery of an updated version of the IZ1H9 Mirai-based DDoS campaign, emphasizing the importance of promptly addressing vulnerabilities and adopting strong security practices. Organizations should remain vigilant and proactive in safeguarding their systems against cyber threats.
