New global NetScaler Gateway credential harvesting campaign uncovered

News
By
published

Hackers are abusing a high-severity flaw to deliver malicious scripts

Passwords
Image Credit: Shutterstock (Image credit: Shutterstock)

Hackers have been observed abusing a critical vulnerability in a secure remote access tool to harvest people’s login credentials.

Cybersecurity researchers from X-Force discovered unnamed threat actors abusing a critical vulnerability in NetScaler Gateways to steal people’s passwords, which can later be used in stage-two attacks. As per the report, hackers were targeting endpoints vulnerable to CVE-2023-3519, inserting malicious scripts into the HTML content of the authentication web page. This allowed them to grab and exfiltrate login data.

After being tipped off by a client who’s experienced slow authentications on its NetScaler devices, X-Force’s investigation found the malicious script, and later found multiple domains the attackers generated. The domains were registered in early August this year, leading the researchers to conclude the campaign was a few months old.

Hundreds of victims

X-Force found almost 600 unique IP addresses hosting compromised NetScaler Gateway login pages and exfiltrating login credentials to the hackers’ command & control (C2) server. 

So far, no one tried to sell or use the data obtained in this campaign, making it impossible for the researchers to identify the group behind the attack. X-Force does state that there had been similar examples in the past, when Chinese state actors, as well as financially motivated groups such as FIN8, exploited these vulnerabilities.

Even though they’ve been around since the dawn of the digital age, passwords are still considered one of the weakest links in any cybersecurity chain. People create weak passwords that are easy to guess, use the same passwords across multiple services, and rarely change them. All this makes them a prime target, as hackers can easily move into a network and use the access to steal sensitive data, engage in phishing, deploy malware and ransomware, and more. 

X-Force’s 2023 Cloud Threat Report found that more than two-thirds (67%) of all cloud-related incident response engagements were linked to the use of stolen credentials.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Someone checking their credit card details online.
Hackers use CAPTCHA scam in PDF files on Webflow CDN to get past security systems
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Cyber-security
Top file-sharing tools are being hit by security attacks once again
China
Salt Typhoon hackers used this clever technique to attack US networks
China
Chinese hackers develop effective new hacking technique to go after business networks
Latest in Security
A TV remote pointing at YouTube logo
YouTube warns of phishing video using its CEO as bait
China
Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
BadBox malware hit after infecting over 500,000 Android devices
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Latest in News
Fujfilm GFX 50R
First Fujifilm GFX100RF images leaked in build-up to expected reveal – here’s what they tell us about the unique premium compact camera
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip 7 could have a Motorola Razr-style full-sized cover screen – and I think it’s about time
Spotify logo on a mobile device
Had Spotify problems recently? It's clamped down on Premium APK 'modded' apps – here's what's happening
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
Last-minute AMD RX 9070 XT stock rumors are making me hopeful for a much better launch than Nvidia’s RTX 5000 GPUs – with just one snag
eSIM
Global eSIM shipment volume surpasses half a billion units as demand keeps on growing
Samsung Galaxy Buds in white
Samsung may be working on new cheap wireless earbuds – will the Galaxy Buds FE 2 beat Sony's next value earbuds to the punch?
More about security
A TV remote pointing at YouTube logo

YouTube warns of phishing video using its CEO as bait
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

BadBox malware hit after infecting over 500,000 Android devices
woman sit on couch near laptop take break reduce stress do yoga meditation exercise to calm down self control get rid of negative emotions, bad e-mail, difficult task, problems at work concept

IT industry workers hit badly by burnout, stress - but there's still potential for success
See more latest
Most Popular
woman sit on couch near laptop take break reduce stress do yoga meditation exercise to calm down self control get rid of negative emotions, bad e-mail, difficult task, problems at work concept
IT industry workers hit badly by burnout, stress - but there's still potential for success
Spotify logo on a mobile device
Had Spotify problems recently? It's clamped down on Premium APK 'modded' apps – here's what's happening
A TV in a living room with the language settings displayed
Prime Video is testing AI dubbing to make movies and shows more accessible – and might avoid the backlash that hit Netflix
Shazam song search on an iPhone
Shazam now makes it super-easy to add identified songs to a Spotify or Apple Music playlist – here’s how it works
A TV remote pointing at YouTube logo
YouTube warns of phishing video using its CEO as bait
Owen Hendricks looks at something off camera in The Recruit season 2.
Netflix aborts mission on hit spy thriller The Recruit and I know which show to blame for its cancelation
The Nvidia and AMD logos clashing with lightning bolts around them.
Sure, Nvidia DLSS 4 is incredibly impressive - but AMD's improved upscaling tech could be a real game-changer
Fujfilm GFX 50R
First Fujifilm GFX100RF images leaked in build-up to expected reveal – here’s what they tell us about the unique premium compact camera
A close up of Conquest in Invincible season 3 episode 7
Invincible season 3 episode 7 just made good on a two-year-old Instagram post and a wild rumor about Jeffrey Dean Morgan
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
BadBox malware hit after infecting over 500,000 Android devices