Table of Contents
Unpatched NetScaler Instances Being Targeted
Threat actors are escalating a credential harvesting campaign targeting unpatched instances of Citrix NetScaler. The cyber attackers are exploiting a critical code injection vulnerability, CVE-2023-3519, which is unpatched in certain instances of Citrix NetScaler ADC and Gateway servers.
Exploitation of CVE-2023-3519 Vulnerability
This vulnerability CVE-2023-3519, classified with a high severity CVSS score of 9.8, is capable of allowing unauthenticated remote code execution. This means that attackers exploiting this flaw can execute arbitrary codes on the affected systems without requiring user authentication. Registering successful breach, the malicious actors then proceed to deploy web shells and confiscate the user's credentials.
Scope of the Cyber Attack
The campaign is noteworthy for its automated nature and the sheer volume of backdoored NetScaler instances. Observations suggest that it is a sweeping, automated campaign that involves as many as 2,000 backdoored NetScaler instances.
Geographical Footprint of the Attack
Investigations by cyber security agencies reveal that the origins of these infections are primarily rooted in the United States and Europe, with some incursions being traced back to Asia as well. The number of unique victim IP addresses associated with this campaign surpasses 600. Interestingly, countries that reported the highest number of affected IP addresses include Germany, France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil.
Method of Attack
The attackers are employing a sophisticated stratagem to exploit the CVE-2023-3519 vulnerability and breach the unpatched Citrix NetScaler instances.
Injection of PHP Web Shell
The initial exploit involves sending a web request that activates the memory corruption documented in CVE-2023-3519. Following this, the attackers write a simple PHP web shell to the '/netscaler/ns_gui/vpn' directory. This effectively provides the attackers interactive access via the PHP web shell and facilitates the next stage of the attack.
Appendage of Custom HTML Code
With established access, the perpetrators retrieve the 'ns.conf' file contents from the targeted device. Then, they append custom HTML code to the 'index.html' file. This custom HTML code, in turn, references a remote JavaScript file hosted on an infrastructure controlled by the attacker. Crucially, this malicious code is appended to the legitimate 'index.html' file, camouflaging it and aiding in evading the defense mechanisms of the targeted system.
JavaScript for Credential Harvesting
To expedite and facilitate the stealing of user credentials, the attackers devise a complex mechanism involving JavaScript. The appended HTML code retrieves and executes more JavaScript code, which attaches a custom function to the "Log On" element on the VPN authentication page. This function collects the form data containing the username and password information of the user. As users attempt to authenticate, their credentials are then sent to a remote server controlled by the attacker via an HTTP POST method.
Use of Cloudflare to Conceal Hosting Location
The attackers further attempt to obfuscate their activities by employing Cloudflare to mask the hosting location of their infrastructure. This makes it exponentially harder for cybersecurity teams to pinpoint the origin of the attack, hindering their attempts to neutralize the threat.
Victim IP Addresses and Data Breach
The credential harvesting campaign initiated by the threat actors has led to significant data breaches, with numerous unique victim IP addresses hosting modified NetScaler Gateway login pages.
Scale of the Data Breach
More than 600 unique victim IP addresses have been identified by the X-Force following the analysis of the threat actor's command and control center. These manipulated pages, hosting the VPN login for the NetScaler Gateway, are key indicators of the scale of the breach.
Geographical Distribution of Victim IPs
The analysis revealed a large concentration of the victim IP addresses in the United States and Europe. Despite this geographical concentration, the attack had a global footprint, indicating that the threat actor did not discriminate in targeting vulnerable NetScaler Gateways.
Extent of Compromised NetScaler Instances
Shadowserver's scans corroborated the extent of this massive cyber attack. Their data indicated that at least 285 NetScaler instances were compromised as a result of this credential harvesting campaign. The attackers have likely exploited opportunities to compromise as many vulnerable NetScaler Gateways as possible, leading to a large number of NetScaler instances being breached.
Recommendations for Remediation
Given the severity of the identified credential harvesting campaign against unpatched NetScaler instances, there are certain key remediation actions that organizations can adopt to mitigate the risk and potential impact of such attacks.
Patching of NetScaler Gateways
The first and foremost recommended action is to ensure all NetScaler Gateways are promptly updated with the latest security patches provided by Citrix. Patching the instances can address the vulnerability CVE-2023-3519 being exploited by the threat actors and significantly reduce the risk of breaches.
Changing Certificates and Passwords
Another essential part of the remediation efforts involves changing all the passwords and certificates. This step is particularly necessary for the affected NetScaler instances that had previously been compromised. By changing passwords and certificates, organizations can prevent the attacker from continuing to access their systems even if the vulnerability has been patched.
IBM’s Role in Identifying Threat Indicators
IBM X-Force has been instrumental in providing indicators of compromise to aid organizations in hunting potential targeting within their NetScaler instances. Leveraging these indicators can assist in the early detection of potential breaches and the timely implementation of countermeasures to minimize the impact and spread of the attack.
