Active credential harvesting attack on unpatched Citrix NetScaler

IBM security researchers report an active credential harvesting campaign focusing on unpatched Citrix NetScaler gateways, specifically those vulnerable to a recent exploit known as CVE-2023-3519. This vulnerability was disclosed in July but had already been exploited since June 2023, with certain attacks directed at critical infrastructure organizations.

By mid-August, threat actors automated the exploitation of this vulnerability, managing to backdoor approximately 2,000 NetScaler instances. The recent scans conducted last week, at least 1,350 NetScaler instances compromised in prior attacks were still affected.

In September, IBM detected a new malicious campaign focusing on unpatched NetScaler devices. The attackers were injecting a script into the authentication page to steal user credentials. In these attacks, the threat actor exploited CVE-2023-3519 to inject a PHP web shell. This shell facilitated appending custom HTML code to the authentic 'index.html' file, enabling the loading of a JavaScript file hosted on the attacker's infrastructure onto the VPN authentication page.

This JavaScript executes additional code to attach a custom function to the 'Log_On' element, designed to gather the username and password input by the user and transmit it to a remote server. The threat actor took further steps by creating multiple domains and registering them in August, leveraging Cloudflare to conceal their hosting location.

IBM identified over 600 unique victim IP addresses hosting modified NetScaler Gateway login pages, with a majority situated in the US and Europe. Scans indicated at least 285 NetScaler instances compromised in this ongoing campaign. The initial infections likely began around August 11, although the campaign could have commenced as early as the domain registration on August 4.