Hackers Hijack Citrix NetScaler Login Pages to Steal Credentials

Cyber Security Threat Summary:
Hackers are conducting a large-scale campaign to exploit the recent CVE-2023-3519 flaw in Citrix NetScaler Gateways to steal user credentials. The flaw is a critical unauthenticated remote code execution bug discovered as a zero-day in July that impacts Citrix NetScaler ADC and NetScaler Gateway. By early August, the flaw had been leveraged to backdoor at least 640 Citrix servers, and the figure reached 2,000 by mid-August” (Bleeping Computer, 2023). Researchers have been urging consumers to update their Citrix devices, but warn the attack surface remains significant. Last month, threat actors began exploiting CVE-2023-3519 to inject JavaScript that harvests login credentials. The credential harvesting campaigns was found after IBM X-Force received reports of slow authentications on a customers NetScaler device. Security Officer Comments:
“Based on their investigations, the responders found that hackers breached using CVE-2023-3519 to inject a malicious credential-stealing JavaScript script into a Citrix NetScaler device's index.html login page. The attack begins with a web request that exploits vulnerable NetScaler devices to write a simple PHP web shell on "/netscaler/ns_gui/vpn." This web shell gives the attackers direct real-time access to the compromised endpoint, which they leverage to gather configuration data from the "ns.conf" file. Next, the attackers append custom HTML code onto the "index.html" file that references a remote JavaScript file, which in turn fetches and executes additional JS code” (Bleeping Computer, 2023). The remote JavaScript code is used to collect credentials, and has adds a custom function to the “Log On” button on the VPN authentication page. Using HTTP POST requests, the attackers is able to exfiltrate collected credentials. Several domains were registered and used during the campaign, including jscloud[.]ink, jscloud[.]live, jscloud[.]biz, jscdn[.]biz, and cloudjs[.]live. The researchers also identified nearly 600 unique IP addresses for NetScaler devices who had their login pages modified. Most victims were located in the United States and Europe, but compromised systems are worldwide. The earliest modified login page was found on August 11, 2023, so the campaign has likely been underway for around two months. This activity has yet to be attributed to any specific threat group, but IBM has found an artifact that can help defenders detect attacks early. Suggested Correction(s):
The artifact can be found in the NetScaler application crash logs associated with the NetScaler Packet Processing Engine (NSPPE), which are located in "/var/core//NSPPE*." "X-Forced observed that the NSPPE crash file timestamps aligned with the filesystem timestamps of the PHP web shells created through exploitation," reads the report. "In other instances, X-Force was able to recover commands being passed to the web shells as part of post-exploitation activities." (IBM, 2023) The crash files are stored in ".gz" archives that require extraction before analysis, while their string data contents also need to be converted to readable form using PowerShell or other tools. System administrators are advised to follow the remediation and detection guidance CISA provided here Link(s):