Hackers Attacking unpatched Citrix NetScaler


Threat actors targeting unpatched Citrix NetScaler systems exposed to the internet are being tracked by Sophos X-Ops. 

As per research, the recent attacks share a similarity with attacks using CVE-2023–3519 delivering malware.

Citrix was discovered with a Zero-Day vulnerability on their Citrix NetScaler Application Delivery Controller (ADC) that allowed threat actors to perform remote code execution at the beginning of August.

According to a Fox-IT report earlier this month, approximately 2,000 NetScaler systems are compromised worldwide.

In mid-August, the threat actors used the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack once the targets were infected.

Later stages of that attack included behaviors such as Payload injection into wuauclt(.)exe or wmiprvse(.)exe and the use of BlueVPS ASN 62005 for malware staging.

In addition to that, they use highly obfuscated PowerShell scripts with distinctive arguments and drop randomly named PHPwebshells (/var/VPN/theme/[random].php) on victim machines. 

Citrix issued a patch for the CVE-2023-3519 issue on July 18 and has further details in their advisory.

Sophos recommends the users of  Citrix NetScaler infrastructure immediately check it for signs of compromise and also to patch the vulnerability.

Patching alone won’t address attacks already using the vulnerability to gain access to the system, so both actions are necessary for proper protection.

It also recommends defenders examine their data, particularly data from before mid-July, to see if other of these IoCs now seen in the NetScaler attacks have appeared prior to the announcement of the new vulnerability.

A list of IoCs for this case will be made available on GitHub

Indicator of compromise

sha256 bb28ba8d838c8eefdd5ae1e23d5872968d84e8cb86bf292b2c3bf4c84ad7dbd0 php webshell
sha256 383df272841f9a677ee03f6f553bc6cf3197427d792dc9f86b7fb1911dc83d71 php webshell
sha256 20b375ac4487a5955d4b0dd0a600e851d1e455a30c3f8babd0e7e1e97d11a073 malicious ps1
sha256 857d6f7e4b96738adb9cc023e2c504362fe8b73bdce422f8f8cb791dd6ac2449 php webshell
sha256 94f09d01e1397ca80c71b488b8775acfe2776b5ab42e9a54547d9e5f58caf11a malicious .net DLL
sha256 01717ce6fe0f79c4dc935549c516e4a1941cb4a4e84233e8fdff447177ce556e php webshell
sha256 03657d8f9dcb49a690d4b07da4f49ead58000efe458ca3ba7f878233dd25e391 php webshell
sha256 2d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9a malicious .net DLL

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.





Source link