november 2023

Zero-day Citrix vulnerability exploited in new wave of attacks

Months after Citrix warned users about a NetScaler critical zero-day vulnerability, threat actors launched a new wave of attacks exploiting the flaw. Tracked as CVE-2023-3519, the vulnerability could result in unauthenticated remote code execution. Cybersixgill recently detected threat actors on a popular cybercrime forum renewing chatter about CVE-2023-3519.



Threat actors are leveraging a critical security flaw (CVE-2023-3519) in Citrix’s[1] NetScaler Application Delivery Controller (ADC) and Gateway[2] products, launching a recently discovered wave of cyber attacks. Researchers determined that CVE-2023-3519 is being exploited to inject credentials-harvesting JavaScript[3] code into Citrix NetScaler devices via malicious websites.

The vulnerability relates to code injection processes that could be used for unauthenticated remote code execution[4] (RCE). The red flag leading to the campaign’s discovery was slow authentication on victims’ NetScaler devices.

Researchers discovered close to 600 unique IP addresses for NetScaler devices that had login pages modified for the credential-theft campaign. While the majority of compromised devices were located in Europe and the U.S., there were affected systems detected across the globe. Citrix first acknowledged CVE-2023-3519 in July 2023, warning users that threat actors were actively exploiting the vulnerability in the wild. In August 2023, a proof of concept (PoC) for CVE-2023-3519 surfaced, which increased the potential for attacks exploiting the flaw.

According to researchers, devices must be configured as either a Gateway[5] or as an authorization and accounting (AAA) virtual server for threat actors to exploit them. Citrix released patches for multiple affected versions of the products. Cybersixgill’s CVEs Scoring Mechanisms assigned CVE-2023-3519 its highest score (9.78) on July 25, 2023,[6] with the Common Vulnerability Scoring System (CVSS) reaching 9.8 by August 4, 2023. In the past, Citrix vulnerabilities have been exploited by leading threat groups, including a prolific ransomware operation that leaked data stolen from the Municipality of Zwijndrecht (Belgium) in November 2022. Attackers in that case breached the police's network through vulnerable Citrix endpoints, pulling off one of the biggest breaches to date on a Belgian government entity. Among the leaked data were thousands of citizens’ license plate numbers and documents related to investigations, fines, crime reports, and employee records, among other information.



The Cybersixgill Investigative Portal collected a post reflecting renewed chatter related to CVE-2023-3519 among threat actors on a popular cybercrime forum. In the post below (Figure 1), a highly active threat actor posted an item called a CVE-2023-3519 Citrix Exploit Inspector, which appears to be related to a PoC for the vulnerability. The post also appears to be an attempt to promote a dark web store that the account operates, which sells illegal items such as PayPal logs, scam methods, and hacking courses, among other items.

The PoC advertised in the post received nearly universal positive praise from other forum members and the post illustrates the ongoing danger posed by vulnerabilities when systems remain unpatched. Indeed, CVE-2023-3519 was disclosed three months ago and patches were released, but threat actors continue to exploit the flaw. Effective PoCs for the vulnerability also appear to remain in demand based on the discussion in the post below. PoCs for vulnerabilities such as CVE-2023-3519 may also serve as prime bait for threat actors attempting to lure customers to illicit market places.

zero day screenshot 1Figure 1: A forum member advertises a PoC for the CVE-2023-3519 vulnerability

  zero day screenshot 2Figure 2: The forum member’s store on the dark web



The severity of CVE-2023-3519 and the new campaign observed leveraging it means that chatter on the underground may increase, as threat actors historically have tried to monetize similar vulnerabilities in various ways. Indeed, it is highly anticipated that cybercriminals will continue to try to exploit CVE-2023-3519.

Therefore, all organizations must prepare for such scenarios and bolster their systems’ security by implementing the following best practices:

·        Create data copies and backups on external servers that are isolated from the business network to reduce the impact of possible ransomware attacks.

·        Run the most updated and safest versions of all computing elements, and immediately patch all vulnerable products as soon as a vulnerability is disclosed.

·        Use vulnerability research teams to proactively detect potential vulnerabilities residing on corporate networks that could be exploited by ransomware gangs and immediately mitigate risks.

·        Instruct employees not to click on links or attachments from suspicious emails and implement regular security training to raise awareness so that social engineering attacks can be thwarted.

[1] Citrix Workspace provides a cloud-based, no-VPN product for accessing intranet web, SaaS, mobile, and virtual applications over various types of networks.

[2] NetScaler Application Delivery Controller (ADC) is a networking appliance to improve performance, security, and resiliency of applications delivered over the web. NetScaler Gateway is a component of ADC that consolidates remote access infrastructure. The vulnerability affects NetScaler ADC and NetScaler Gateway versions 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, 12.1 ( end-of-life), in addition to NetScaler ADC (versions 13.1-FIPS before 13.1-37.159 and 12.1-FIPS before 12.1-55.297) and NetScaler ADC 12.1-NDcPP before 12.1-55.297.

[3] JavaScript is an object-oriented programming language for web development to add interactivity and dynamic functionality, which is supported by virtually all web browsers. Malicious JavaScript code can capture user input, including login credentials, and send them to an attacker

[4] Threat actors use remote code execution to control systems and networks to which they lack direct access.

[5] To be affected, devices must be configured as VPN virtual servers, ICA Proxies, CVPNs, or RDP Proxies, according to researchers.

[6] The CVEs score has since dropped significantly due to decreased chatter after vulnerable systems were patched, however, this score may now rise again.

You may also like

Ransomhub June BTH

June 10, 2024

Stolen Data from US Telecom Company Frontier is Auctioned by RansomHub

Read more
Lockbit June BTH

June 10, 2024

FBI Encourages LockBit Victims to Claim Decryption Keys

Read more
BreachForums June BTH

June 10, 2024

590Million Customers Affected by 2 Major Attacks: Data Released on BreachForums

Read more