Researchers have reported that threat actors are conducting a large-scale credential harvesting campaign exploiting the recent CVE-2023-3519 vulnerability in Citrix NetScaler Gateways.
At the end of July, Citrix warned customers that the CVE-2023-3519 flaw in NetScaler Application Delivery Controller (ADC) and Gateway is being actively exploited in the wild using the code injection vulnerability that could result in unauthenticated remote code execution. Successful exploitation requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
The U.S. CISA warned of cyber-attacks against Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices exploiting the zero-day CVE-2023-3519. The Agency revealed that threat actors targeted a NetScaler ADC appliance deployed in the network of a critical infrastructure organization and are exploiting the vulnerability to drop web shells on vulnerable systems.
Researchers identified multiple domains used as part of this campaign, the domains were registered on August 5th, 6th, and 14th, and leveraging Cloudflare to mask where the domains were hosted and identified the C2 infrastructure used by the threat actors, then they were able to identify almost 600 unique victim IP addresses hosting modified NetScaler Gateway login pages. Most of the victims are in the United States and Europe.
The analysis reveals that the NetScaler Gateway login pages were first modified on August 11, 2023, suggesting that this date might mark the commencement of the campaign. The researchers were not able to link this campaign to any known threat group.
This latest research was documented by the researchers from IBM X-Force
Indicators of Compromise