Attacks on NetScaler Gateways aim for user credentials

Threat actors are continuing to attack a critical 9.8 vulnerability in unpatched NetScaler Gateways and then insert malicious scripts into the HTML content of the authentication web page to capture user credentials.

The vulnerability — CVE-2023-3519 — was first reported in July when the Cybersecurity and Infrastructure Security Agency (CISA) put the bug on its Known Exploited Vulnerabilities (KEV) catalog.

CISA said in its July advisory that in June of this year, threat actors exploited the bug as a zero-day to drop a Webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The Webshell let the threat actors perform discovery on the victim’s Active Directory (AD) and exfiltrate AD data. CISA said the actors attempted to move laterally to a domain controller, but network segmentation controls for the appliance blocked any movement.

Other attacks were reported on in August, and on Oct. 6, IBM’s X-Force reported that they observed a new malicious campaign that targeted NetScaler devices in an attempt to steal user credentials.

Click for more special coverage

“The campaign is another example of increased interest from cyber criminals in credentials,” wrote the X-Force researchers. “The 2023 X-Force cloud threat report found that 67% of cloud-related incident response engagements were associated with the use of stolen credentials.”

While public reporting has highlighted how various threat actors have exploited these vulnerabilities, including suspected Chinese threat actors and the financially motivated FIN8, X-Force said it has not observed follow-on activity and was unable to attribute this recent campaign at this time.

Time to patch

As this is an actively exploited vulnerability in the wild, administrators should immediately patch, and they should also check to see if there were any signs of a breach, said Irfan Asrar, director of threat research at Qualys.

“We have seen a lot of cases where administrators have patched, yet failed to realize that actors had already breached the enterprise,” said Asrar. “A large number of the targeted users are based in North America.”

Joseph Carson, chief security scientist and Advisory CISO at Delinea, said the attacks on NetScaler devices are another reminder that credentials are a top target, and it’s critical to ensure that passwords are not the only security control protecting access. Carson said cybercriminals will look to sell off validated credentials or use them to deploy malicious software, such as ransomware. 

“Organizations that have internet-facing systems and applications should ensure that any credentials used should have strong security controls in addition to passwords, such as multi-factor authentication and privileged access security ensuring that it is difficult for attackers to abuse these systems even if they are able to harvest credentials from vulnerable software,” said Carson. “It’s also a strong reminder to never reuse credentials for multiple applications as one compromised account could open the doors to other accounts.”