Threat actors exploit Citrix NetScaler flaw for credential theft

SISA Weekly Threat Watch 16, October 2023

The past week has been marked by a series of critical cybersecurity threats and vulnerabilities that warrant immediate attention. These include vulnerabilities leading to unauthorized access, cyberattacks targeting cloud environments via SQL Server vulnerabilities, ransomware attacks resulting in data leaks, credential harvesting campaigns exploiting Citrix devices, and expansion of a botnet variant’s DDoS attack capabilities. These diverse threats emphasize the need for robust security measures and constant vigilance in the face of evolving cyber risks.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Cisco releases urgent patch to fix critical flaw in Emergency Responder systems

Cisco has issued important updates to remedy a severe security vulnerability affecting Emergency Responder. This flaw enables unauthorized remote attackers to gain access to vulnerable systems by exploiting hardcoded credentials. This vulnerability, identified as CVE-2023-20101 with a CVSS score of 9.8, arises from the persistence of static user credentials for the root account, which are typically reserved for development purposes, as stated by the company. Exploiting this weakness would entail an attacker utilizing these credentials to gain unauthorized access to the system. Once inside, they could execute arbitrary commands with the privileges of the root user.

Cisco has revealed that the discovery of this hardcoded credential vulnerability, which permits attackers to bypass authentication, occurred during internal security testing. The company’s Product Security Incident Response Team (PSIRT) has not encountered any information regarding public disclosures or instances of malicious exploitation related to CVE-2023-20101. By promptly applying the necessary patches, altering default credentials, and implementing strong security practices, organizations can significantly reduce the likelihood of exploitation.

2. Microsoft warns of cyberattacks attempting to breach cloud via SQL Server instance

Cybercriminals have been detected attempting to infiltrate cloud environments by exploiting vulnerabilities in Microsoft SQL Servers through SQL injection. According to Microsoft’s security experts, this method of lateral movement has previously been observed in attacks targeting different services such as virtual machines (VMs) and Kubernetes clusters. The attack begins with the exploitation of an SQL injection vulnerability within a targeted application, providing the attackers with initial access. They then navigate to the SQL Server instance, often hosted on an Azure Virtual Machine. What’s alarming is their ability to attain elevated permissions, granting them extensive control over the SQL Server.

Inside the server, the attackers systematically extract sensitive information, including database details, table names, schemas, network configurations, and permissions. To escalate their access, they utilize ‘xp_cmdshell,’ enabling them to execute operating system commands via SQL, potentially giving them shell access. Data exfiltration is achieved through the ‘’ service, an unconventional way to avoid detection. The attackers also try to exploit cloud identities, potentially gaining access to various cloud resources. Finally, they meticulously cover their tracks by deleting scripts and wiping database modifications, making post-attack forensics challenging. To defend against such threats, organizations must adopt a multi-faceted approach to cybersecurity. This includes proactive patching, robust access controls, leveraging cloud-native security solutions, continuous monitoring, and user training.

3. Medusa ransomware attacks Philippine health agency with alleged dark web data leak

The Philippine Health Insurance Corporation, responsible for managing the country’s universal healthcare system, suffered a disruption to its websites and portals due to a Medusa ransomware attack in September 2023. After failed ransom negotiations, the attackers disclosed a substantial amount of personal information belonging to PhilHealth members on the dark web, including names, addresses, contact details, and medical records. Responding swiftly, the Department of Information and Communications Technology (DICT), the National Bureau of Investigation (NBI), and the Philippine National Police (PNP) collaborated to assess the attack’s extent, secure member-related data, and temporarily shut down PhilHealth’s online platforms.

While the ransomware was contained, the hackers released the stolen data on October 3, consisting of large data packages potentially posing risks like identity theft and fraudulent activities. To prevent such attacks, it is recommended to conduct comprehensive security assessments, enable 2FA/MFA, maintain strong passwords, restrict personal devices, utilize robust endpoint security, educate staff on security best practices, and enforce remote application closure when not in use. Consider a Managed Detection and Response (MDR) service to manage security threats on a 24×7 basis with industry best practices applied in responding to all security threats by security experts with experienced backgrounds.

4. Cyberattacks target Citrix devices by exploiting NetScaler vulnerability

A recently disclosed critical flaw in Citrix NetScaler ADC and Gateway devices is being exploited by threat actors to conduct a credential harvesting campaign. CVE-2023-3519, which has a CVSS score of 9.8 and was addressed by Citrix in July 2023, is a critical vulnerability involving code injection. This vulnerability could allow unauthenticated remote code execution. Security researchers reported that adversaries used the flaw to target unpatched NetScaler Gateways. They exploited this vulnerability to insert a malicious script into the HTML content of the authentication web page, thereby capturing user credentials.

The attackers sent a specifically crafted web request to initiate the exploitation of CVE-2023-3519 and deploy a web shell based on PHP. This web shell was then used to add custom code to the NetScaler Gateway login page, which included a reference to a remote JavaScript file hosted on infrastructure controlled by the attackers. The JavaScript code’s purpose was to collect the form data containing the username and password entered by users during authentication and transmit this sensitive information to a remote server using an HTTP POST method. To counter this threat, it is strongly recommended that organizations promptly apply patches and always change default login credentials for devices. Organizations should also consider changing certificates as well as all passwords, as part of incident remediation.

5. Mirai DDoS malware variant expands targets with 13 router exploits

The IZ1H9 Mirai botnet variant has expanded its capabilities with 13 new exploit payloads, targeting Linux-based routers, IP cameras, and IoT devices from manufacturers like D-Link, TP-Link, Zyxel, and others. These exploits cover vulnerabilities from 2015 to 2023, including command execution issues, such as CVE-2019-19356 for Netis WF2419 and CVE-2023-23295 for Korenix JetWave routers.

When a vulnerability is successfully exploited, the bot deploys a payload that fetches a shell script downloader and erases logs. Subsequently, it procures bot clients, designed to operate on various system architectures. After completing these tasks, the bot establishes communication with a Command and Control (C2) server, enabling it to launch a variety of DDoS attacks, including UDP, UDP Plain, HTTP Flood, and TCP SYN attacks. Timely patching, routine security assessments, and robust network monitoring are essential in mitigating these risks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider