Attacks on Citrix NetScaler systems linked to ransomware actor

A threat actor, suspected to be affiliated with the FIN8 hacking group, is exploiting a known vulnerability, CVE-2023-3519, to execute remote code and compromise unpatched Citrix NetScaler systems through domain-wide attacks.

Sophos has been closely monitoring this campaign since mid-August and has reported several tactics employed by the threat actor. These tactics include payload injections, the use of BlueVPS for hosting malicious content, deployment of obfuscated PowerShell scripts, and the placement of PHP webshells on victim machines.

Analysts at Sophos have drawn parallels between this attack campaign and another one observed earlier in the summer. The similarities between the two activities have led them to conclude that the threat actor in question may have a specialization in ransomware attacks.

Attacks on Citrix

CVE-2023-3519 is a critical-severity vulnerability (CVSS score: 9.8) identified as a code injection flaw within Citrix NetScaler ADC and NetScaler Gateway. This zero-day vulnerability was actively exploited starting in mid-July 2023.

Although the vendor issued security updates to address the issue on July 18th, there were indications that cybercriminals were allegedly peddling an exploit for this flaw as early as July 6th, 2023.

By August 2nd, Shadowserver reported the discovery of 640 webshells on an equal number of compromised Citrix servers. Just two weeks later, Fox-IT raised that number to 1,952.

Despite the availability of a security update for more than a month, as of mid-August, over 31,000 Citrix NetScaler instances remained vulnerable to CVE-2023-3519, providing ample opportunities for threat actors to launch attacks.

Sophos X-Ops has now reported that a threat actor tracked as ‘STAC4663’ is actively exploiting CVE-2023-3519. Researchers believe that this activity is linked to the same campaign reported by Fox-IT earlier in the month.

The payload deployed in the recent attacks, injected into “wuauclt.exe” or “wmiprvse.exe,” is currently under analysis. Sophos suspects it is part of a ransomware attack chain, primarily based on the attacker’s profile.

Sophos has assessed with moderate confidence that this campaign is connected to the FIN8 hacking group, which was recently observed employing the BlackCat/ALPHV ransomware. This assessment is founded on various factors, including domain discovery, the use of plink, hosting on BlueVPS, unconventional PowerShell scripting, and the utilization of PuTTY Secure Copy [pscp].

The attackers are known to employ a Command and Control (C2) IP address (45.66.248[.]189) for staging malware and a second C2 IP address (85.239.53[.]49) that responds to the same C2 software used in a previous campaign.

To aid defenders in detecting and mitigating this threat, Sophos has published a list of Indicators of Compromise (IoCs) for this campaign on GitHub.

If security updates for Citrix ADC and Gateway appliances have not been applied, it is strongly recommended to follow the guidance provided in the vendor’s security bulletin to address this vulnerability.