Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
A threat actor believed to be associated with the hacking group FIN8 has been exploiting a vulnerability known as CVE-2023-3519 to compromise unpatched Citrix NetScaler systems. This activity was monitored by a cybersecurity company, which started observing the campaign in mid-August. The threat actor used various tactics, including payload injections, employing the BlueVPS malware, deploying obfuscated PowerShell scripts, and dropping PHP webshells onto victim machines.
Analysts noted similarities between this attack and a previous one they had observed earlier in the summer. This led them to deduce that these two activities are connected and that the threat actor specializes in ransomware attacks.
CVE-2023-3519 is a critical-severity vulnerability with a CVSS score of 9.8. It involves a code injection flaw in Citrix NetScaler ADC and NetScaler Gateway and was discovered as an actively exploited zero-day vulnerability in mid-July 2023. Although the vendor released security updates on July 18th, evidence suggested that cybercriminals had been selling an exploit for this vulnerability since at least July 6th.
As of August 2nd, security researchers found 640 compromised Citrix servers with associated webshells, and this number increased to 1,952 by mid-August. Shockingly, by that point, more than 31,000 instances of Citrix NetScaler remained vulnerable to CVE-2023-3519, over a month after the security updates were released.
It is reported that the threat actor tracked as ‘STAC4663’ was exploiting CVE-2023-3519. The payload delivered in these recent attacks was injected into processes like “wuauclt.exe” or “wmiprvse.exe,” and although its full nature is still being investigated, Sophos believes it’s part of a ransomware attack chain based on the attacker’s profile.
Researchers assesses with moderate confidence that this campaign is linked to the FIN8 hacking group, which has recently been associated with deploying the BlackCat/ALPHV ransomware This assessment is based on various factors, including domain discovery, BlueVPS hosting, unusual PowerShell scripting, and the use of the PuTTY Secure Copy tool.
In conclusion, organizations using Citrix ADC and Gateway appliances should apply the recommended security updates if they haven’t done so already, as threat actors continue to exploit this vulnerability for their malicious activities.
Citrix
85.239.53.49