Headline
Citrix Devices Under Attack: NetScaler Flaw Exploited to Capture User Credentials
A recently disclosed critical flaw in Citrix NetScaler ADC and Gateway devices is being exploited by threat actors to conduct a credential harvesting campaign. IBM X-Force, which uncovered the activity last month, said adversaries exploited "CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user
Network Security / Password
A recently disclosed critical flaw in Citrix NetScaler ADC and Gateway devices is being exploited by threat actors to conduct a credential harvesting campaign.
IBM X-Force, which uncovered the activity last month, said adversaries exploited “CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials.”
CVE-2023-3519 (CVSS score: 9.8), addressed by Citrix in July 2023, is a critical code injection vulnerability that could lead to unauthenticated remote code execution. Over the past few months, it has been heavily exploited to infiltrate vulnerable devices and gain persistent access for follow-on attacks.
In the latest attack chain discovered by IBM X-Force, the operators sent a specially crafted web request to trigger the exploitation of CVE-2023-3519 and deploy a PHP-based web shell.
The access afforded by the web shell is subsequently leveraged to append custom code to the NetScaler Gateway login page that references a remote JavaScript file hosted on attacker-controlled infrastructure.
The JavaScript code is designed to collect the form data containing the username and password information supplied by the user and transmit it to a remote server through an HTTP POST method upon authentication.
The company said it identified “at least 600 unique victim IP addresses hosting modified NetScaler Gateway login pages,” a majority of them located in the U.S. and Europe. The attacks are said to be opportunistic in nature owing to the fact that the additions appear more than once.
It’s not exactly clear when the campaign started, but the earliest login page modification is on August 11, 2023, indicating that it has been underway for nearly two months. It has not been attributed to any known threat actor or group.
The disclosure comes as Fortinet FortiGuard Labs uncovered an updated version of the IZ1H9 Mirai-based DDoS campaign that makes use of a revised list of exploits targeting various flaws in IP cameras and routers from D-Link, Geutebrück, Korenix, Netis, Sunhillo SureLine, TP-Link, TOTOLINK, Yealink, and Zyxel.
“This highlights the campaign’s capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs,” security researcher Cara Lin said.
Successful exploitation of the vulnerabilities paves the way for the deployment of a shell script downloader that’s used to retrieve the IZ1H9 payload, turning the compromised Linux machines into remote-controlled bots for large-scale brute-force and DDoS attacks.
“To counter this threat, it is strongly recommended that organizations promptly apply patches when available and always change default login credentials for devices,” Lin said.
The development also coincides with a new unpatched remote command injection flaw impacting D-Link DAP-X1860 range extender (CVE-2023-45208) that could be used by threat actors to run shell commands during the setup process by creating a Wi-Fi network with a crafted SSID containing the apostrophe symbol, according to RedTeam Pentesting.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an advisory released last month, underscored the risk of volumetric DDoS attacks against websites and related web services, urging organizations to implement appropriate mitigations to reduce the threat.
“These attacks target specific websites with the goal of exhausting the target system’s resources, rendering the target unreachable or inaccessible, and denying users access to the service,” it said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,
U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to
Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below - CVE-2023-6548 (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management
The latest threat to Citrix NetScaler, CVE-2023-4966, was exploited as a zero-day bug for months before a patch was issued. Researchers expect exploitation efforts to surge.
A command injection in the parsing_xml_stasurvey function inside libcgifunc.so of the D-Link DAP-X1860 repeater 1.00 through 1.01b05-01 allows attackers (within range of the repeater) to run shell commands as root during the setup process of the repeater, via a crafted SSID. Also, network names containing single quotes (in the range of the repeater) can result in a denial of service.
Unpatched Citrix NetScaler systems exposed to the internet are being targeted by unknown threat actors in what's suspected to be a ransomware attack. Cybersecurity company Sophos is tracking the activity cluster under the moniker STAC4663. Attack chains involve the exploitation of CVE-2023-3519, a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zones controller to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active in-the-wild exploitation. Tracked as CVE-2023-24489 (CVSS score: 9.8), the shortcoming has been described as an improper access control bug that, if successfully exploited
Categories: Exploits and vulnerabilities Categories: News Tags: Citrix Tags: NetScalers Tags: Germany Tags: CVE-2023-3519 Tags: Fox-IT Tags: DIVD Researchers have found almost 2000 backdoored Citrix NetScalers, many of which were patched after the backdoor in the form of a web shell was dropped. (Read more...) The post Citrix NetScalers backdoored in widespread exploitation campaign appeared first on Malwarebytes Labs.
Nearly 2,000 Citrix NetScaler instances have been compromised with a backdoor by weaponizing a recently disclosed critical security vulnerability as part of a large-scale attack. "An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing web shells on vulnerable NetScalers to gain persistent access," NCC Group said in an advisory released Tuesday. "The adversary can
A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.
Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The
Categories: Exploits and vulnerabilities Categories: News Tags: Citrix Tags: NetScaler Tags: CVE-2023-3519 Tags: web shell A critical unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway is being actively exploited (Read more...) The post CISA: You've got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519 appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Thursday warning that the newly disclosed critical security flaw in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices is being abused to drop web shells on vulnerable systems. "In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical
Unauthenticated remote code execution
Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild. Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions - NetScaler ADC and NetScaler Gateway 13.1