Rewterz Threat Alert – Ransomware Actors Linked to Attacks Targeting Citrix NetScaler Systems – Active IOCs

Severity

High

Analysis Summary

A threat actor believed to be associated with the hacking group FIN8 has been exploiting a vulnerability known as CVE-2023-3519 to compromise unpatched Citrix NetScaler systems. This activity was monitored by a cybersecurity company, which started observing the campaign in mid-August. The threat actor used various tactics, including payload injections, employing the BlueVPS malware, deploying obfuscated PowerShell scripts, and dropping PHP webshells onto victim machines.

Analysts noted similarities between this attack and a previous one they had observed earlier in the summer. This led them to deduce that these two activities are connected and that the threat actor specializes in ransomware attacks.

CVE-2023-3519 is a critical-severity vulnerability with a CVSS score of 9.8. It involves a code injection flaw in Citrix NetScaler ADC and NetScaler Gateway and was discovered as an actively exploited zero-day vulnerability in mid-July 2023. Although the vendor released security updates on July 18th, evidence suggested that cybercriminals had been selling an exploit for this vulnerability since at least July 6th.

As of August 2nd, security researchers found 640 compromised Citrix servers with associated webshells, and this number increased to 1,952 by mid-August. Shockingly, by that point, more than 31,000 instances of Citrix NetScaler remained vulnerable to CVE-2023-3519, over a month after the security updates were released.

It is reported that the threat actor tracked as ‘STAC4663’ was exploiting CVE-2023-3519. The payload delivered in these recent attacks was injected into processes like “wuauclt.exe” or “wmiprvse.exe,” and although its full nature is still being investigated, Sophos believes it’s part of a ransomware attack chain based on the attacker’s profile.

Researchers assesses with moderate confidence that this campaign is linked to the FIN8 hacking group, which has recently been associated with deploying the BlackCat/ALPHV ransomware This assessment is based on various factors, including domain discovery, BlueVPS hosting, unusual PowerShell scripting, and the use of the PuTTY Secure Copy tool.

In conclusion, organizations using Citrix ADC and Gateway appliances should apply the recommended security updates if they haven’t done so already, as threat actors continue to exploit this vulnerability for their malicious activities.

Impact

• Code Execution
• Exposure of Sensitive Data

Affected Vendors

Citrix

Affected Products

• Citrix Gateway 13.0
• Citrix ADC 12.1
• Citrix ADC 12.1-FIPS
• Citrix ADC 12.1-NDcPP
• Citrix NetScaler Gateway 12.1

Indicators Of Compromise

CVE

• CVE-2023-3519

IP

85.239.53.49

MD5

• ab41cac917bd44f0cbe192dac9539321
• 8b47edcf4d1070cdce44f06904f75b1e

SHA-256

• ec89ec41f0e0a7e60fa3f6267d0197c7fa8568e11a2c564f6d59855ddd9e1d64
• 2d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9a

SHA-1

• af83e150039051d930ae3eec0dc8081b02719beb
• eff94ae3fe0f678f19be5149eb74030ec2b0d096

Remediation

• Refer to Citrix Security Advisory for patch, upgrade or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Continuously monitor your network and systems for any signs of suspicious or unauthorized activity. Implement intrusion detection and prevention systems to identify potential attacks.
• Consider using Web Application Firewalls to help detect and block malicious traffic targeting vulnerabilities like the one described. 
• Implement network segmentation to isolate critical systems and sensitive data from potentially compromised systems. 
• Disable any unnecessary services or features on your Citrix appliances. This can reduce the potential attack surface and limit the opportunities for attackers to exploit vulnerabilities.
• Ensure that all software and applications on your network are up to date with the latest security patches. Regularly update operating systems, browsers, plugins, and other software components.
• Apply the principle of least privilege, granting users and systems only the access and permissions they need to perform their tasks. 
• Regularly back up critical data and systems. In the event of a successful attack or compromise, having recent backups can help you restore operations and minimize data loss.
• Establish a robust patch management process to promptly apply security updates and patches to all software and systems in your environment