Hackers are targeting Citrix servers by exploiting a recently patched vulnerability in Citrix NetScaler ADC and Gateway product, IBM X-Force threat intelligence team warns.

The campaign first spotted in September 2023 takes advantage of the CVE-2023-3519 remote code execution (RCE) flaw to insert a malicious script appended to the legitimate “index.html” file into the HTML content of the authentication web page to capture user credentials.

The script loads an additional JavaScript file that attaches a function to the “Log On” element in the VPN authentication page that collects the username and password information and sends it to a remote server.

The X-Force team said it identified multiple domains associated with the campaign and almost 600 unique victim IP addresses hosting modified NetScaler Gateway login pages, most of them in the US and Europe. The earliest modification time stamp and domain creation dates suggest that this credential harvesting campaign has been active since early August 2023.

The researchers said that all domains hosted an almost identical JavaScript file, with the only difference being the command-and-control (C&C) domain listed in the file, and all stolen credentials were sent to the same URI.

“X-Force has also observed in some instances the threat actor appending the same URL, or a URL using one of the other domains, to the same victim login page, indicating this threat actor is likely opportunistically compromising vulnerable NetScaler Gateways,” the team said.