securityintelligence.com
Open in
urlscan Pro
2606:4700::6812:18f1
Public Scan
Submitted URL: https://t.co/I8CkOFbghN
Effective URL: https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/
Submission: On November 04 via api from IN — Scanned from US
Effective URL: https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/
Submission: On November 04 via api from IN — Scanned from US
Form analysis
1 forms found in the DOMGET /
<form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1">
<amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first="" submit-on-enter="" on="select:search.submit" tabindex="-1"
class="i-amphtml-element i-amphtml-layout-container i-amphtml-built i-amphtml-layout" i-amphtml-layout="container" role="combobox" aria-haspopup="listbox" aria-expanded="false" aria-owns="96_AMP_content_">
<input id="search__input" tabindex="-1" type="text" name="s" autocomplete="off" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required="" dir="auto" aria-autocomplete="both" role="textbox"
aria-controls="96_AMP_content_" aria-multiline="false">
<div class="i-amphtml-autocomplete-results" role="listbox" id="96_AMP_content_" hidden=""></div>
</amp-autocomplete>
<button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search">
<amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"
class="i-amphtml-element i-amphtml-layout-responsive i-amphtml-layout-size-defined i-amphtml-built i-amphtml-layout" i-amphtml-layout="responsive"><i-amphtml-sizer slot="i-amphtml-svc" style="padding-top: 100%;"></i-amphtml-sizer><img
decoding="async" alt="Search" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" class="i-amphtml-fill-content i-amphtml-replaced-content"></amp-img>
<span>Search</span>
</button>
<button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link">
<amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"
class="i-amphtml-element i-amphtml-layout-responsive i-amphtml-layout-size-defined i-amphtml-built i-amphtml-layout" i-amphtml-layout="responsive"><i-amphtml-sizer slot="i-amphtml-svc" style="padding-top: 100%;"></i-amphtml-sizer><img
decoding="async" alt="Close" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" class="i-amphtml-fill-content i-amphtml-replaced-content"></amp-img>
</button>
</form>
Text Content
SECURITY INTELLIGENCE News Topics X-Force Podcast News Topics Threat Research Podcast Search {{#articles}} {{TITLE}} {{/articles}} View All News Application Security Artificial Intelligence CISO Cloud Security Data Protection Endpoint Fraud Protection Identity & Access Incident Response Mainframe Network Risk Management Intelligence & Analytics Security Services Threat Hunting Zero Trust Infographic: Zero trust policy Timeline: Local Government Cyberattacks Industries Banking & Finance Energy & Utility Government Healthcare View All Topics {{#articles}} {{TITLE}} {{/articles}} View More From X-Force {{#articles}} {{TITLE}} {{/articles}} View All Episodes News TOPICS All Categories Application Security Identity & Access Artificial Intelligence Incident Response CISO Mainframe Cloud Security Mobile Security Data Protection Network Endpoint Risk Management Fraud Protection Threat Hunting Security Services Security Intelligence & Analytics Industries Banking & Finance Energy & Utility Government Healthcare X-Force Podcast X-FORCE UNCOVERS GLOBAL NETSCALER GATEWAY CREDENTIAL HARVESTING CAMPAIGN Light Dark -------------------------------------------------------------------------------- October 6, 2023 By John Dwyer Richard Emerson 6 min read -------------------------------------------------------------------------------- Defensive Security Incident Response Security Services X-Force -------------------------------------------------------------------------------- This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related incident response engagements were associated with the use of stolen credentials. In response to the widespread exploitation of CVE-2023-3519 CISA released an advisory document containing guidance on detection, incident response, mitigations and validating security controls. However, through multiple incident response investigations, X-Force discovered a new exploitation artifact related to CVE2-2023-3519 and developed additional guidance to be used in conjunction with CISA’s detection and response recommendations. This post will cover the initial incident that led to uncovering the larger campaign, the credential harvesting campaign, as well as the new artifact, considerations and recommendations for responding to remediating an incident involving CVE-2023-3519. INCIDENT OVERVIEW X-Force identified the campaign through an incident response engagement where a client had discovered the script after investigating reports of slow authentications on the NetScaler device. The script which is appended to the legitimate “index.html” file loads an additional remote JavaScript file that attaches a function to the “Log On” element in the VPN authentication page that collects the username and password information and sends it to a remote server during authentication. As part of the initial exploit chain, the attackers sent a web request to “/gwtest/formssso? event=start&target=” triggering the memory corruption documented in CVE-2023-3519 to write a simple PHP web shell to /netscaler/ns_gui/vpn. With interactive access established through the PHP web shell, the attacker retrieved the contents of the “ns.conf” file on the device and appended custom HTML code to “index.html” which references a remote JavaScript file hosted on attacker-controlled infrastructure. To facilitate the credential harvesting, the JavaScript code appended to “index.html” retrieves and executes additional JavaScript code that attaches a custom function to the “Log_On” element which collects the form data containing the username and password information and sends it to a remote host through a HTTP POST method upon authentication. LARGER CREDENTIAL HARVESTING CAMPAIGN From that initial engagement, X-Force identified multiple domains created by the threat actor – jscloud[.]ink, jscloud[.]live, jscloud[.]biz, jscdn[.]biz, and cloudjs[.]live – registered on August 5th, 6th and 14th, and leveraging Cloudflare to mask where the domains were hosted. After identifying the threat actor’s C2, X-Force was able to identify almost 600 unique victim IP addresses hosting modified NetScaler Gateway login pages, with concentrations in the United States and Europe. The earliest modification time stamp X-Force has identified for NetScaler Gateway login pages is on August 11th, 2023, although the campaign could have begun closer to when the domains were registered. Despite variations in the URL, all domains hosted an almost identical JavaScript file, with the only difference being the C2 domain listed in the file, and all captured credentials were sent to the same URI “/items/accounts/“. X-Force has also observed in some instances the threat actor appending the same URL, or a URL using one of the other domains, to the same victim login page, indicating this threat actor is likely opportunistically compromising vulnerable NetScaler Gateways. While public reporting has highlighted how various threat actors, including suspected Chinese threat actors and FIN8, have exploited these vulnerabilities, X-Force has not observed follow-on activity and is unable to attribute this campaign at this time. CVE-2023-3519 DETECTION AND INVESTIGATION GUIDANCE Considerations for evidence collection from NetScaler device: In the default configuration, the NetScaler device will rewrite the “ns_gui” folder upon boot resulting in the directory being destroyed during shutdown. Throughout various investigations, X-Force has recovered valuable evidence from the “ns_gui” directory including samples of web shells and modified versions of “index.html”. Organizations should be careful not to shut down the device prior to collecting an image or other evidence. New artifact for CVE-2023-3519 detection: NetScaler application crash logs Through X-Force incident response engagements involving CVE-2023-3519, X-Force analysts identified that the NetScaler Packet Processing Engine (NSPPE) crash files can contain evidence of the exploitation of the vulnerability. The crash files are located with “/var/core/<number>/NSPPE*”. Similar to the default log files on the NetScaler device, the crash files are stored in “.gz” archives so they will need to be extracted prior to analysis. Crash file path example: /var/core/6/NSPPE-01-9502.gz The crash files are not human readable by default however X-Force discovered that the crash files do contain string data that can be extracted using strings, PowerShell or any other tool that can print the strings of printable characters in files. X-Forced observed that the NSPPE crash file timestamps aligned with the filesystem timestamps of the PHP web shells created through exploitation. In other instances, X-Force was able to recover commands being passed to the web shells as part of post-exploitation activities. Note on NetScaler log backups: X-Force has observed that the default NetScaler audit configuration is to leverage circular logging and retain the last 25 log files with a maximum size of 100 Kb. When logs are rolled, NetScaler will retain older log files in “.gz” archives. X-Force has observed that some of the available CVE-2023-3519 detection tools available on the Internet, do not consider the log data within the “.gz” archives. Organizations should ensure to extract the log files from the archives or leverage a tool such as “zgrep” which can search within compressed files. Considerations for detection strategies within NetScaler access logs: X-Force recreated the exploit for CVE-2023-3519 by sending a GET request to “https://<VulnerableGateway>/gwtest/formssso?event=start&target=” however X-Force was not able to recover a record of any of the web requests associated with exploitation attempts in the access logs. It is not clear whether the lack of a log entry for the connection to the “formssso” endpoint is due to a configuration issue on the X-Force test instance or if the “formssso” does not log connections by design. X-Force recommends that clients analyze the following log sources for evidence of post-exploitation activity in the following files with a particular focus on identifying entries indicative of interacting with a web shell: * /var/log/httpaccess.log * /var/log/httperror.log * /var/log/httpaccess-vpn.log X-Force recommends that organizations assess their access logs for POST/GET requests and anomalous PHP files. Examples of post-exploitation interactions with a PHP web shell observed by X-Force: While during exploitation tests, X-Force was not able to recover the details of the commands executed via the PHP web shells recovered from incident response engagements with the access logs, X-Force still recommends organizations assess their NetScaler access logs for evidence of command execution in the event different web shells were used. Considerations for detection strategies within NetScaler command history logs: The CISA advisory recommends organizations assess bash.log and sh.log for evidence of malicious activity leveraging the following keywords: * database.php * ns_gui/vpn * /flash/nsconfig/keys/updated * LDAPTLS_REQCERT * ldapsearch * openssl + salt In addition to the CISA advisory, X-Force recommends organizations also consider assessing “/var/log/notice.log”, “/var/log/bash.log” and” /var/log/sh.log” (including the associated rollover “.gz” archives) for signs of post-exploitation activity using the following additional keywords: * Whoami * base64 –decode * /flash/Nsconfig/keys * &>> index.html * echo <?php * echo <script * /nsconfig/ns.conf It is important for organizations to analyze command history logs in the correct context of the attacker’s operations. Evidence gathered from command history within the context of an attack involving CVE-2023-3519 will be focused on post-exploitation activity. Organizations should analyze process execution data sources (including command history logs on the device) for commands associated with reconnaissance, credential harvesting, lateral movement and downloading/uploading of data and not restrict their assessment to just what is provided within the keywords. Considerations for remediation: As noted in the CISA advisory, attackers were observed viewing NetScaler configuration files /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf which “contain an encrypted password that can be decrypted by the key stored on the ADC appliance”. X-Force also noted that there were multiple credentials and certificates stored in the NetScaler configuration files so organizations should consider changing certificates as well as all passwords as part of incident remediation. Indicators Indicator Indicator Type Context jscloud[.]ink Domain C2 jscloud[.]live Domain C2 jscloud[.]biz Domain C2 jscdn[.]biz Domain C2 cloudjs[.]live Domain C2 cloud-js[.]cloud Domain C2 Scroll to view full table References * https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a * https://www.mandiant.com/resources/blog/citrix-zero-day-espionage * https://twitter.com/SophosXOps/status/1695143572272738790 To learn how IBM Security X-Force can help with anything regarding cybersecurity including incident response, threat intelligence or offensive security services, schedule a meeting here: IBM Security X-Force Scheduler. If you are experiencing cybersecurity issues or an incident, contact IBM Security X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Data Protection | Identity and Access Management (IAM) | Password Protection | threat hunting | Threat Management | X-Force John Dwyer Head of Research, IBM Security X-Force Richard Emerson Cyber Threat Intelligence Analyst Continue Reading POPULAR Artificial Intelligence October 23, 2024 AI HALLUCINATIONS CAN POSE A RISK TO YOUR CYBERSECURITY 4 min read - In early 2023, Google’s Bard made headlines for a pretty big mistake, which we now call an AI hallucination. During a demo, the chatbot was asked, “What new discoveries from the James Webb Space Telescope can I tell my 9-year-old… Data Protection October 24, 2024 3 PROVEN USE CASES FOR AI IN PREVENTATIVE CYBERSECURITY 3 min read - IBM’s Cost of a Data Breach Report 2024 highlights a ground-breaking finding: The application of AI-powered automation in prevention has saved organizations an average of $2.2 million. Enterprises have been using AI for years in detection, investigation and response. However,… Data Protection October 29, 2024 WHY SAFEGUARDING SENSITIVE DATA IS SO CRUCIAL 4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other. The story began when security researcher Jeremiah Fowler discovered an unsecured… MORE FROM DEFENSIVE SECURITY March 6, 2024 WHY FEDERAL AGENCIES NEED A MISSION-CENTERED CYBER RESPONSE 4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move… August 9, 2023 X-FORCE RELEASES DETECTION & RESPONSE FRAMEWORK FOR MANAGED FILE TRANSFER SOFTWARE 5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.… July 18, 2023 X-FORCE CERTIFIED CONTAINMENT: RESPONDING TO AD CS ATTACKS 6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled… TOPIC UPDATES Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. Subscribe today Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats. Cybersecurity News By Topic By Industry Exclusive Series X-Force Podcast Events Contact About Us Follow us on social © 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences Sponsored by si-icon-eightbarfeature IBM web domains ibm.com, ibm.org, ibm-zcouncil.com, insights-on-business.com, jazz.net, mobilebusinessinsights.com, promontory.com, proveit.com, ptech.org, s81c.com, securityintelligence.com, skillsbuild.org, softlayer.com, storagecommunity.org, think-exchange.com, thoughtsoncloud.com, alphaevents.webcasts.com, ibm-cloud.github.io, ibmbigdatahub.com, bluemix.net, mybluemix.net, ibm.net, ibmcloud.com, galasa.dev, blueworkslive.com, swiss-quantum.ch, blueworkslive.com, cloudant.com, ibm.ie, ibm.fr, ibm.com.br, ibm.co, ibm.ca, community.watsonanalytics.com, datapower.com, skills.yourlearning.ibm.com, bluewolf.com, carbondesignsystem.com About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your cookie preferences options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here. Accept all Required only Cookie Preferences