Carding 4 Carders
Professional
While companies refuse to update the system, cyber attacks are gaining momentum.
Hackers are actively exploiting a recently discovered vulnerability in Citrix software to steal user credentials. We are talking about the vulnerability CVE-2023-3519, found in July of this year. It affects Citrix products such as NetScaler ADC, NetScaler Gateway and allows you to run malicious code on devices without authorization.
According to IBM X-Force, despite warnings from developers and requests to update the system, many organizations still remain vulnerable. In August alone, hackers exploited this flaw to break into more than 2,000 Citrix servers.
Experts found that the attackers first upload a PHP web shell to the "/netscaler/ns_gui/vpn " directory, through which they gain remote access and collect information about the system configuration. Malicious JavaScript code is then embedded in the VPN authentication page. This code intercepts credentials and sends an HTTP POST request to the management server.
Hackers use several domains for their own purposes, including jscloud[.]ink, jscloud[.]live, jscloud[.]biz, jscdn[.]biz и cloudjs[.]live.
According to IBM, the attacks involve hundreds of unique IP addresses of compromised Citrix devices around the world. Most of the victims are located in the United States and Europe. The campaign starts on August 11, 2023, which means that it has been running for about two months.
IBM analysts found out that traces of the attack can be found in NSPPE crash logs (part of the NetScaler application logs). They are located in the "/var/core/NSPPE*" directory in the form .gz of archives. To analyze these files, you need to extract them and convert the string data to readable text using special tools.
Experts recommend that companies urgently install security updates from the manufacturer and strengthen monitoring of systems for hacking.
Hackers are actively exploiting a recently discovered vulnerability in Citrix software to steal user credentials. We are talking about the vulnerability CVE-2023-3519, found in July of this year. It affects Citrix products such as NetScaler ADC, NetScaler Gateway and allows you to run malicious code on devices without authorization.
According to IBM X-Force, despite warnings from developers and requests to update the system, many organizations still remain vulnerable. In August alone, hackers exploited this flaw to break into more than 2,000 Citrix servers.
Experts found that the attackers first upload a PHP web shell to the "/netscaler/ns_gui/vpn " directory, through which they gain remote access and collect information about the system configuration. Malicious JavaScript code is then embedded in the VPN authentication page. This code intercepts credentials and sends an HTTP POST request to the management server.
Hackers use several domains for their own purposes, including jscloud[.]ink, jscloud[.]live, jscloud[.]biz, jscdn[.]biz и cloudjs[.]live.
According to IBM, the attacks involve hundreds of unique IP addresses of compromised Citrix devices around the world. Most of the victims are located in the United States and Europe. The campaign starts on August 11, 2023, which means that it has been running for about two months.
IBM analysts found out that traces of the attack can be found in NSPPE crash logs (part of the NetScaler application logs). They are located in the "/var/core/NSPPE*" directory in the form .gz of archives. To analyze these files, you need to extract them and convert the string data to readable text using special tools.
Experts recommend that companies urgently install security updates from the manufacturer and strengthen monitoring of systems for hacking.
