Months after Citrix warned users about a NetScaler critical zero-day vulnerability, threat actors launched a new wave of attacks exploiting the flaw. Tracked as CVE-2023-3519, the vulnerability could result in unauthenticated remote code execution. Cybersixgill recently detected threat actors on a popular cybercrime forum renewing chatter about CVE-2023-3519.
The vulnerability relates to code injection processes that could be used for unauthenticated remote code execution (RCE). The red flag leading to the campaign’s discovery was slow authentication on victims’ NetScaler devices.
Researchers discovered close to 600 unique IP addresses for NetScaler devices that had login pages modified for the credential-theft campaign. While the majority of compromised devices were located in Europe and the U.S., there were affected systems detected across the globe. Citrix first acknowledged CVE-2023-3519 in July 2023, warning users that threat actors were actively exploiting the vulnerability in the wild. In August 2023, a proof of concept (PoC) for CVE-2023-3519 surfaced, which increased the potential for attacks exploiting the flaw.
According to researchers, devices must be configured as either a Gateway or as an authorization and accounting (AAA) virtual server for threat actors to exploit them. Citrix released patches for multiple affected versions of the products. Cybersixgill’s CVEs Scoring Mechanisms assigned CVE-2023-3519 its highest score (9.78) on July 25, 2023, with the Common Vulnerability Scoring System (CVSS) reaching 9.8 by August 4, 2023. In the past, Citrix vulnerabilities have been exploited by leading threat groups, including a prolific ransomware operation that leaked data stolen from the Municipality of Zwijndrecht (Belgium) in November 2022. Attackers in that case breached the police's network through vulnerable Citrix endpoints, pulling off one of the biggest breaches to date on a Belgian government entity. Among the leaked data were thousands of citizens’ license plate numbers and documents related to investigations, fines, crime reports, and employee records, among other information.
The Cybersixgill Investigative Portal collected a post reflecting renewed chatter related to CVE-2023-3519 among threat actors on a popular cybercrime forum. In the post below (Figure 1), a highly active threat actor posted an item called a CVE-2023-3519 Citrix Exploit Inspector, which appears to be related to a PoC for the vulnerability. The post also appears to be an attempt to promote a dark web store that the account operates, which sells illegal items such as PayPal logs, scam methods, and hacking courses, among other items.
The PoC advertised in the post received nearly universal positive praise from other forum members and the post illustrates the ongoing danger posed by vulnerabilities when systems remain unpatched. Indeed, CVE-2023-3519 was disclosed three months ago and patches were released, but threat actors continue to exploit the flaw. Effective PoCs for the vulnerability also appear to remain in demand based on the discussion in the post below. PoCs for vulnerabilities such as CVE-2023-3519 may also serve as prime bait for threat actors attempting to lure customers to illicit market places.
Figure 1: A forum member advertises a PoC for the CVE-2023-3519 vulnerability
Figure 2: The forum member’s store on the dark web
The severity of CVE-2023-3519 and the new campaign observed leveraging it means that chatter on the underground may increase, as threat actors historically have tried to monetize similar vulnerabilities in various ways. Indeed, it is highly anticipated that cybercriminals will continue to try to exploit CVE-2023-3519.
Therefore, all organizations must prepare for such scenarios and bolster their systems’ security by implementing the following best practices:
· Create data copies and backups on external servers that are isolated from the business network to reduce the impact of possible ransomware attacks.
· Run the most updated and safest versions of all computing elements, and immediately patch all vulnerable products as soon as a vulnerability is disclosed.
· Use vulnerability research teams to proactively detect potential vulnerabilities residing on corporate networks that could be exploited by ransomware gangs and immediately mitigate risks.
· Instruct employees not to click on links or attachments from suspicious emails and implement regular security training to raise awareness so that social engineering attacks can be thwarted.
 Citrix Workspace provides a cloud-based, no-VPN product for accessing intranet web, SaaS, mobile, and virtual applications over various types of networks.
 NetScaler Application Delivery Controller (ADC) is a networking appliance to improve performance, security, and resiliency of applications delivered over the web. NetScaler Gateway is a component of ADC that consolidates remote access infrastructure. The vulnerability affects NetScaler ADC and NetScaler Gateway versions 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, 12.1 ( end-of-life), in addition to NetScaler ADC (versions 13.1-FIPS before 13.1-37.159 and 12.1-FIPS before 12.1-55.297) and NetScaler ADC 12.1-NDcPP before 12.1-55.297.
 Threat actors use remote code execution to control systems and networks to which they lack direct access.
 To be affected, devices must be configured as VPN virtual servers, ICA Proxies, CVPNs, or RDP Proxies, according to researchers.
 The CVEs score has since dropped significantly due to decreased chatter after vulnerable systems were patched, however, this score may now rise again.