Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
August 31, 2023
Severity High Analysis Summary CVE-2023-20900 VMware Tools could allow a remote attacker to bypass security restrictions, caused by improper SAML token signature verification. By utilize man-in-the-middle […]August 31, 2023
Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]August 31, 2023
Severity High Analysis Summary A threat actor believed to be associated with the hacking group FIN8 has been exploiting a vulnerability known as CVE-2023-3519 to compromise […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
August 31, 2023
Severity High Analysis Summary CVE-2023-20900 VMware Tools could allow a remote attacker to bypass security restrictions, caused by improper SAML token signature verification. By utilize man-in-the-middle […]August 31, 2023
Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]August 31, 2023
Severity High Analysis Summary A threat actor believed to be associated with the hacking group FIN8 has been exploiting a vulnerability known as CVE-2023-3519 to compromise […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – NJRAT – Active IOCs
August 31, 2023
Rewterz Threat Alert – APT Group Gamaredon aka Shuckworm – Active IOCs
August 31, 2023
Severity
High
Analysis Summary
A threat actor believed to be associated with the hacking group FIN8 has been exploiting a vulnerability known as CVE-2023-3519 to compromise unpatched Citrix NetScaler systems. This activity was monitored by a cybersecurity company, which started observing the campaign in mid-August. The threat actor used various tactics, including payload injections, employing the BlueVPS malware, deploying obfuscated PowerShell scripts, and dropping PHP webshells onto victim machines.
Analysts noted similarities between this attack and a previous one they had observed earlier in the summer. This led them to deduce that these two activities are connected and that the threat actor specializes in ransomware attacks.
CVE-2023-3519 is a critical-severity vulnerability with a CVSS score of 9.8. It involves a code injection flaw in Citrix NetScaler ADC and NetScaler Gateway and was discovered as an actively exploited zero-day vulnerability in mid-July 2023. Although the vendor released security updates on July 18th, evidence suggested that cybercriminals had been selling an exploit for this vulnerability since at least July 6th.
As of August 2nd, security researchers found 640 compromised Citrix servers with associated webshells, and this number increased to 1,952 by mid-August. Shockingly, by that point, more than 31,000 instances of Citrix NetScaler remained vulnerable to CVE-2023-3519, over a month after the security updates were released.
It is reported that the threat actor tracked as ‘STAC4663’ was exploiting CVE-2023-3519. The payload delivered in these recent attacks was injected into processes like “wuauclt.exe” or “wmiprvse.exe,” and although its full nature is still being investigated, Sophos believes it’s part of a ransomware attack chain based on the attacker’s profile.
Researchers assesses with moderate confidence that this campaign is linked to the FIN8 hacking group, which has recently been associated with deploying the BlackCat/ALPHV ransomware This assessment is based on various factors, including domain discovery, BlueVPS hosting, unusual PowerShell scripting, and the use of the PuTTY Secure Copy tool.
In conclusion, organizations using Citrix ADC and Gateway appliances should apply the recommended security updates if they haven’t done so already, as threat actors continue to exploit this vulnerability for their malicious activities.
Impact
- Code Execution
- Exposure of Sensitive Data
Affected Vendors
Citrix
Affected Products
- Citrix Gateway 13.0
- Citrix ADC 12.1
- Citrix ADC 12.1-FIPS
- Citrix ADC 12.1-NDcPP
- Citrix NetScaler Gateway 12.1
Indicators Of Compromise
CVE
- CVE-2023-3519
IP
85.239.53.49
MD5
- ab41cac917bd44f0cbe192dac9539321
- 8b47edcf4d1070cdce44f06904f75b1e
SHA-256
- ec89ec41f0e0a7e60fa3f6267d0197c7fa8568e11a2c564f6d59855ddd9e1d64
- 2d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9a
SHA-1
- af83e150039051d930ae3eec0dc8081b02719beb
- eff94ae3fe0f678f19be5149eb74030ec2b0d096
Remediation
- Refer to Citrix Security Advisory for patch, upgrade or suggested workaround information.
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Continuously monitor your network and systems for any signs of suspicious or unauthorized activity. Implement intrusion detection and prevention systems to identify potential attacks.
- Consider using Web Application Firewalls to help detect and block malicious traffic targeting vulnerabilities like the one described.
- Implement network segmentation to isolate critical systems and sensitive data from potentially compromised systems.
- Disable any unnecessary services or features on your Citrix appliances. This can reduce the potential attack surface and limit the opportunities for attackers to exploit vulnerabilities.
- Ensure that all software and applications on your network are up to date with the latest security patches. Regularly update operating systems, browsers, plugins, and other software components.
- Apply the principle of least privilege, granting users and systems only the access and permissions they need to perform their tasks.
- Regularly back up critical data and systems. In the event of a successful attack or compromise, having recent backups can help you restore operations and minimize data loss.
- Establish a robust patch management process to promptly apply security updates and patches to all software and systems in your environment