Attacks on Citrix NetScaler systems linked to ransomware actor

A threat actor believed to be tied to the FIN8 hacking group exploits the CVE-2023-3519 remote code execution flaw to compromise unpatched Citrix NetScaler systems in domain-wide attacks.

Sophos has been monitoring this campaign since mid-August, reporting that the threat actor performs payload injections, uses BlueVPS for malware stating, deploys obfuscated PowerShell scripts, and drops PHP webshells on victim machines.

Resemblances to another attack that Sophos analysts observed earlier in the summer have led the analysts to deduce that the two activities are linked, with the threat actor specializing in ransomware attacks.

Attacks on Citrix

CVE-2023-3519 is a critical-severity (CVSS score: 9.8) code injection flaw in Citrix NetScaler ADC and NetScaler Gateway, discovered as an actively exploited zero-day in mid-July 2023.

The vendor released security updates for the problem on July 18th, but there was evidence that cybercriminals were allegedly selling an exploit for the flaw since at least July 6th, 2023.

By August 2nd, Shadowserver reported discovering 640 webshells in an equal number of compromised Citrix servers, and two weeks later, Fox-IT raised that number to 1,952.

By mid-August, over 31,000 Citrix NetScaler instances remained vulnerable to CVE-2023-3519, more than a month after the security update was made available, giving threat actors plenty of opportunity for attacks.

Sophos X-Ops now reports that a threat actor it tracks as 'STAC4663' is exploiting CVE-2023-3519, which the researchers believe is part of the same campaign Fox-IT reported about earlier this month.

The payload delivered in the recent attacks, which is injected into "wuauclt.exe" or "wmiprvse.exe," is still being analyzed. Still, Sophos believes it is part of a ransomware attack chain based on the attacker's profile.

Sophos told BleepingComputer that the campaign is assessed with moderate confidence to be linked the FIN8 hacking group, which was recently seen deploying the BlackCat/ALPHV ransomware.

This assumption and the correlation to the ransomware actor's previous campaign are based on domain discovery, plink, BlueVPS hosting, unusual PowerShell scripting, and the PuTTY Secure Copy [pscp].

Finally, the attackers use a C2 IP address (45.66.248[.]189) for malware staging and a second C2 IP address (85.239.53[.]49) responding to the same C2 software as in the previous campaign.

Sophos has published a list of IoCs (indicators of compromise) for this campaign on GitHub to help defenders detect and stop the threat.

If you have not applied the security updates on Citrix ADC and Gateway appliances, follow the recommended actions on the vendor's security bulletin.