X-Force uncovered a global NetScaler Gateway credential harvesting campaign that exploits CVE-2023-3519 to inject a credential-harvesting script into authentication pages. Attackers used attacker-controlled domains, web shells, and NSPPE crash artifacts to enable post-exploitation and credential exfiltration, with detailed detection and remediation guidance.
Keypoints
- X-Force uncovered a campaign exploiting CVE-2023-3519 against NetScaler Gateways to insert a malicious script into the authentication page to harvest credentials.
- The attackers appended HTML/JavaScript to index.html and loaded a remote JavaScript file that grabs username/password data during login.
- A set of attacker-controlled domains (jscloud.ink, jscloud.live, jscloud.biz, jscdn.biz, cloudjs.live, etc.) served as C2 and were used to funnel harvested credentials to a single URI.
- Approximately 600 victim IPs across the United States and Europe were observed with modified NetScaler login pages appearing from August 2023 onward.
- New artifacts include NSPPE crash logs (/var/core//NSPPE*) that can contain evidence of exploitation and post-exploitation activity; logs are stored in .gz archives and require extraction.
- IBM X-Force provides detection and remediation guidance, including examining NetScaler logs, backups, and specific log files for post-exploitation indicators, and recommends credential and certificate changes during remediation.
- Attribution remains uncertain; while public reports mention Chinese actors and FIN8, X-Force did not observe follow-on activity or definitive attribution for this campaign.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – CVE-2023-3519 is exploited to write a PHP web shell on the NetScaler device: “…triggering the memory corruption documented in CVE-2023-3519 to write a simple PHP web shell to /netscaler/ns_gui/vpn.”
- [T1105] Ingress Tool Transfer – The attackers load an additional remote JavaScript file from attacker-controlled infrastructure: “…loads an additional remote JavaScript file that attaches a function to the ‘Log On’ element in the VPN authentication page…”
- [T1056.003] Input Capture (Web Forms) – The injected script collects credentials from the login form and sends them to the attacker: “…collects the username and password information and sends it to a remote server during authentication.”
- [T1005] Data from Local System – The attacker retrieves local configuration data (ns.conf) from the device: “…retrieved the contents of the ‘ns.conf’ file on the device…”
Indicators of Compromise
- [Domain] C2 – jscloud[.]ink, jscloud[.]live, and 4 more domains – C2 infrastructure used to host the malicious JavaScript and receive exfiltrated credentials
- [URL] Exploitation attempt – https://<VulnerableGateway>/gwtest/formssso?event=start&target=
- [File Path] NSPPE crash logs – /var/core/6/NSPPE-01-9502.gz
- [File Path] Web shell traces and modified index.html evidence – occurrences within /var/log (archived as .gz) and related index.html modifications