Hackers Attack Unpatched Citrix NetScaler Systems to Deploy Ransomware
Threat actors targeting unpatched Citrix NetScaler systems exposed to the internet are being tracked by Sophos X-Ops.
As per research, the recent attacks share a similarity with attacks using CVE-2023–3519 delivering malware.
Citrix was discovered with a Zero-Day vulnerability on their Citrix NetScaler Application Delivery Controller (ADC) that allowed threat actors to perform remote code execution at the beginning of August.
According to a Fox-IT report earlier this month, approximately 2,000 NetScaler systems are compromised worldwide.
In mid-August, the threat actors used the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack once the targets were infected.
Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched Citrix NetScaler systems exposed to the internet. Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs.
— Sophos X-Ops (@SophosXOps) August 25, 2023
Later stages of that attack included behaviors such as Payload injection into wuauclt(.)exe or wmiprvse(.)exe and the use of BlueVPS ASN 62005 for malware staging.
In addition to that, they use highly obfuscated PowerShell scripts with distinctive arguments and drop randomly named PHPwebshells (/var/VPN/theme/[random].php) on victim machines.
Citrix issued a patch for the CVE-2023-3519 issue on July 18 and has further details in their advisory.
Sophos recommends the users of Citrix NetScaler infrastructure immediately check it for signs of compromise and also to patch the vulnerability.
Patching alone won’t address attacks already using the vulnerability to gain access to the system, so both actions are necessary for proper protection.
It also recommends defenders examine their data, particularly data from before mid-July, to see if other of these IoCs now seen in the NetScaler attacks have appeared prior to the announcement of the new vulnerability.
A list of IoCs for this case will be made available on GitHub
Indicator of compromise
sha256bb28ba8d838c8eefdd5ae1e23d5872968d84e8cb86bf292b2c3bf4c84ad7dbd0php webshellsha256383df272841f9a677ee03f6f553bc6cf3197427d792dc9f86b7fb1911dc83d71php webshellsha25620b375ac4487a5955d4b0dd0a600e851d1e455a30c3f8babd0e7e1e97d11a073malicious ps1sha256857d6f7e4b96738adb9cc023e2c504362fe8b73bdce422f8f8cb791dd6ac2449php webshellsha25694f09d01e1397ca80c71b488b8775acfe2776b5ab42e9a54547d9e5f58caf11amalicious .net DLLsha25601717ce6fe0f79c4dc935549c516e4a1941cb4a4e84233e8fdff447177ce556ephp webshellsha25603657d8f9dcb49a690d4b07da4f49ead58000efe458ca3ba7f878233dd25e391php webshellsha2562d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9amalicious .net DLL
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post Hackers Attack Unpatched Citrix NetScaler Systems to Deploy Ransomware appeared first on Cyber Security News.
Cyber Security News