Threat actors targeting unpatched Citrix NetScaler systems exposed to the internet are being tracked by Sophos X-Ops.
As per research, the recent attacks share a similarity with attacks using CVE-2023–3519 delivering malware.
Citrix was discovered with a Zero-Day vulnerability on their Citrix NetScaler Application Delivery Controller (ADC) that allowed threat actors to perform remote code execution at the beginning of August.
According to a Fox-IT report earlier this month, approximately 2,000 NetScaler systems are compromised worldwide.
In mid-August, the threat actors used the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack once the targets were infected.
Later stages of that attack included behaviors such as Payload injection into wuauclt(.)exe or wmiprvse(.)exe and the use of BlueVPS ASN 62005 for malware staging.
In addition to that, they use highly obfuscated PowerShell scripts with distinctive arguments and drop randomly named PHPwebshells (/var/VPN/theme/[random].php) on victim machines.
Citrix issued a patch for the CVE-2023-3519 issue on July 18 and has further details in their advisory.
Sophos recommends the users of Citrix NetScaler infrastructure immediately check it for signs of compromise and also to patch the vulnerability.
Patching alone won’t address attacks already using the vulnerability to gain access to the system, so both actions are necessary for proper protection.
It also recommends defenders examine their data, particularly data from before mid-July, to see if other of these IoCs now seen in the NetScaler attacks have appeared prior to the announcement of the new vulnerability.
A list of IoCs for this case will be made available on GitHub
Indicator of compromise
| sha256 | bb28ba8d838c8eefdd5ae1e23d5872968d84e8cb86bf292b2c3bf4c84ad7dbd0 | php webshell |
| sha256 | 383df272841f9a677ee03f6f553bc6cf3197427d792dc9f86b7fb1911dc83d71 | php webshell |
| sha256 | 20b375ac4487a5955d4b0dd0a600e851d1e455a30c3f8babd0e7e1e97d11a073 | malicious ps1 |
| sha256 | 857d6f7e4b96738adb9cc023e2c504362fe8b73bdce422f8f8cb791dd6ac2449 | php webshell |
| sha256 | 94f09d01e1397ca80c71b488b8775acfe2776b5ab42e9a54547d9e5f58caf11a | malicious .net DLL |
| sha256 | 01717ce6fe0f79c4dc935549c516e4a1941cb4a4e84233e8fdff447177ce556e | php webshell |
| sha256 | 03657d8f9dcb49a690d4b07da4f49ead58000efe458ca3ba7f878233dd25e391 | php webshell |
| sha256 | 2d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9a | malicious .net DLL |
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.