Security experts at IBM X-Force have uncovered a security flaw in Citrix NetScaler ADC and Gateway devices, marked as CVE-2023-3519, which is currently being exploited by Threat Actors. This critical code injection vulnerability, with a CVSS score of 9.8, was addressed by Citrix in July 2023. It allows for unauthenticated remote code execution, providing a gateway for threat actors to conduct a credential harvesting campaign.
Exploitation Tactics Unveiled
In the discovered attack chain, threat actors exploit CVE-2023-3519 to inject a malicious script into the HTML content of the authentication web page, capturing user credentials.
The attackers, as revealed by IBM X-Force, utilize a specially crafted web request to trigger the vulnerability and deploy a PHP-based web shell. This web shell then grants access, allowing the insertion of custom code into the Netscaler Gateway Login page.
This code references a remote JavaScript file hosted on attacker-controlled infrastructure, designed to collect and transmit user credentials to a remote server.
Scope and Impact
IBM X-Force identified over 600 unique victim IP addresses hosting modified NetScaler Gateway login pages, primarily located in the U.S. and Europe. The attacks, considered opportunistic, have been ongoing for nearly two months, with the earliest modification dated August 11, 2023. Notably, the campaign has yet to be attributed to any known threat actor or group.
Broader Threat Landscape
Coinciding with this revelation, Fortinet FortiGuard Labs detected an updated version of the IZ1H9 Mirai-based DDoS campaign. This campaign exploits various vulnerabilities in IP cameras and routers, illustrating its capacity to rapidly expand its botnet through the use of recently released exploit code.
Mitigation and Recommendations
Security researcher Cara Lin emphasizes the importance of prompt patch application and changing default login credentials to counter these threats. Organizations are urged to stay vigilant, particularly in light of the unpatched remote command injection flaw impacting D-Link DAP-X1860 range extenders (CVE-2023-45208).
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) advises implementing appropriate mitigations to reduce the risk of volumetric DDoS attacks against websites and related web services.
