Sophos X-Ops has identified a mass attack campaign targeting unpatched Citrix NetScaler systems exposed to the internet [6]. This campaign exploits a critical code injection vulnerability [3] [6], allowing hackers to gain remote access to servers. The attackers are believed to be an organized and experienced threat group specializing in ransomware attacks.
Description
The mass attack campaign began in mid-August and targets unpatched Citrix NetScaler systems [1]. It exploits a critical code injection vulnerability [3] [6], known as CVE-2023-3519 [5], in Citrix NetScaler Application Delivery Controller and NetScaler Gateway devices [5]. This flaw enables hackers to execute remote code and gain persistent access to servers. The attackers, known as STAC4663 [2], have been increasing the complexity of their attacks, utilizing techniques such as payload injections [1], BlueVPS ASN 62005 for malware staging [1], obfuscated PowerShell scripts [1] [7] [8], and deploying randomly named PHP webshells on victim machines [6].
The payload delivered in recent attacks is still under analysis [2], but it is believed to be part of a ransomware attack chain. The campaign is assessed to be linked to the FIN8 hacking group based on indicators such as domain discovery and unusual PowerShell scripting [2]. The attackers use two command and control (C2) IP addresses for malware staging and communication. Sophos has published a list of indicators of compromise (IoCs) to aid in detecting and stopping the threat [2].
Despite a security update being available [4], over 31,000 instances of Citrix NetScaler remained vulnerable to CVE-2023-3519 by mid-August [4]. Approximately 2,000 Citrix NetScaler systems worldwide have been compromised due to this vulnerability, with over 15,000 servers still vulnerable to remote code execution attacks [4]. Sophos X-Ops recommends organizations thoroughly inspect their networks for signs of compromise and patch the vulnerability. They also advise examining historical data for Indicators of Compromise (IoCs) and following their guidance to protect infrastructure.
Conclusion
The mass attack campaign targeting unpatched Citrix NetScaler systems poses a significant threat to organizations. With thousands of systems compromised and many more still vulnerable, it is crucial for organizations to take immediate action. Thoroughly inspecting networks, patching vulnerabilities, and following Sophos X-Ops’ guidance will help mitigate the risk of compromise. Additionally, organizations should remain vigilant for future attacks and stay updated on the latest security measures to protect their infrastructure.
References
[1] https://www.helpnetsecurity.com/2023/08/29/citrix-netscaler-ransomware/
[2] https://www.redpacketsecurity.com/attacks-on-citrix-netscaler-systems-linked-to-ransomware-actor/
[3] https://cyber.vumetric.com/security-news/2023/08/29/citrix-netscaler-alert-ransomware-hackers-exploiting-critical-vulnerability/
[4] https://cyber.vumetric.com/security-news/2023/08/28/attacks-on-citrix-netscaler-systems-linked-to-ransomware-actor/
[5] https://www.govinfosecurity.com/ransomware-attack-specialist-tied-to-citrix-netscaler-hacks-a-22960
[6] https://www.infosecurity-magazine.com/news/ransomware-targets-citrix/
[7] https://thehackernews.com/2023/08/citrix-netscaler-alert-ransomware.html
[8] https://www.darkreading.com/attacks-breaches/unpatched-citrix-devices-targeted-by-ransomware-group-fin8
