A threat actor, possibly associated with the FIN8 hacking group, is leveraging the CVE-2023-3519 vulnerability for remote code execution. This vulnerability is being exploited to compromise Citrix NetScaler systems that have not been patched, and the attacks are affecting multiple domains.
According to reports, the threat actor employs techniques such as payload injections, utilisation of BlueVPS as a malware vehicle, deployment of obfuscated PowerShell scripts, and the introduction of PHP webshells on the targeted machines.
Similarities to a previous attack witnessed by analysts during the summer have prompted the deduction that the two incidents are interconnected. The threat actor involved seems to have expertise in executing ransomware attacks.
Citrix vulnerabilities
CVE-2023-3519 stands as a critical-severity (CVSS score: 9.8) vulnerability tied to code injection within Citrix NetScaler ADC and NetScaler Gateway. It was unveiled as a zero-day exploit actively being leveraged since mid-July 2023.
Vendor responses were swift, releasing security patches on July 18th. However, indications emerged suggesting cybercriminals might have been trading an exploit for this vulnerability from as early as July 6th, 2023.
As of August 2nd, Shadowserver stumbled upon approximately 640 webshells within an equivalent number of compromised Citrix servers. Within a fortnight, this count escalated to 1,952, as reported by Fox-IT.
By the middle of August, a startling number of over 31,000 Citrix NetScaler instances remained susceptible to CVE-2023-3519, well over a month following the availability of the security patch. This lingering vulnerability granted ample opportunities for threat actors to orchestrate attacks.
Presently, Sophos X-Ops reveals that an entity tracked under the name 'STAC4663' is exploiting CVE-2023-3519. Researchers believe this aligns with the same campaign highlighted earlier this month by Fox-IT.
The nature of the payload recently utilised in the attacks, injected into "wuauclt.exe" or "wmiprvse.exe," is under ongoing analysis. Nevertheless, Sophos leans towards categorising it as part of a ransomware attack chain, based on the attacker's tactics.
According to Sophos, the campaign bears moderate confidence ties to the FIN8 hacking group. This group has been associated with the recent deployment of the BlackCat/ALPHV ransomware.
This presumption, as well as the connection to the ransomware actor's previous campaign, draws from domain exploration, plink, BlueVPS hosting, unusual PowerShell scripting, and employment of PuTTY Secure Copy [pscp].
To sum up
In conclusion, the assailants employ a C2 IP address (45.66.248[.]189) for the staging of malware, while a secondary C2 IP address (85.239.53[.]49) responds through the same C2 software utilised in the prior campaign.
If you have yet to implement the security updates for Citrix ADC and Gateway appliances, it is advised to follow the suggested measures outlined in the vendor's security bulletin.
