Citrix NetScaler ADC and NetScaler Gateway are at heightened risk of opportunistic attacks by a ransomware group likely linked to the financially motivated FIN8 threat actor.
The critical code injection vulnerability is being tracked as CVE-2023-3519 and affects multiple versions of Citrix’ application delivery, load balancing, and remote access technologies.
NetScaler products are popular attacker targets because of the highly privileged access they provide to targeted networks. Many organizations have deployed gateway technologies like these to enable secure access to enterprise applications and data for remote workers.
Unauthenticated Remote Code Execution
CVE-2023-3519 allows an unauthenticated remote attacker to execute arbitrary code on affected systems and has a near maximum severity rating of 9.8 out of 10 on the CVSS vulnerability rating scale. Attackers can exploit the vulnerability on any affected NetScaler system that an organization might have configured as a VPN virtual server, ICA proxy, RDP proxy, or an authentication, authorization, and accounting (AAA) server.
Citrix first disclosed the flaw July 18 amid active exploit activity and recommended that organizations immediately update their systems to patched versions of the software. Since that disclosure, multiple vendors have reported observing malicious activity targeting the flaw.
One of them, Sophos, last week said it had observed a threat actor using the vulnerability as “a code-injection tool to conduct a domain-wide attack” in mid-August.
The attack chain included the threat actor injecting malicious payloads into “wuauclt.exe,” a legitimate process associated with the Windows Update client, and into “wmiprvse.exe,” the service host process for the Windows Management Instrumentation (WMI) service. Sophos said its analysis also showed the threat actor using highly obfuscated PowerShell scripts as part of the attack and dropping several randomly named PHP Web shells on victim systems. Such Web shells give adversaries a way to remotely execute system level commands on Web servers.
Potential Link to FIN8 Threat Group
Sophos said the tactics, techniques, and procedures (TTP) that the threat actor used in the mid-August attacks were similar to TTPs it had observed in previous attacks this summer that did not involve CVE-2023-3519. The similarities included the use of the same malicious infrastructure and hosting services, unusual PowerShell scripts, and the use of PuTTY Secure Copy Protocol for file transfers. Sophos concluded that a known threat actor specializing in ransomware distribution is likely behind the latest attacks.
“Sophos has observed overlaps in this activity consistent with other published activity attributed to FIN8,” says Christopher Budd, director of threat intelligence at Sophos. “As outlined in the Sophos X-Ops’ thread on this campaign, we saw attacks earlier this summer prior to the Citrix vulnerability being used, with the Citrix vulnerability incorporated in mid-August.”
FIN8 is a well-known financially motivated threat group that has been operational off and on since at least 2016. It has been associated with numerous attacks on organizations across multiple sectors including technology, financial services, retail, and hospitality. The group resurfaced in July after a relative lull, this time in a campaign to distribute BlackCat ransomware. “Sophos believes these attacks are opportunistic in nature, with activity reflecting that this is a well-established group employing new tools,” Budd says.
Check for IoCs Even If Patched
The Sophos report is one among several in recent weeks to chronicle malicious activity targeting the Citrix ADC and Gateway products. In early August, Fox-IT reported observing over 1,900 Citrix NetScaler devices worldwide that had been backdoored in a mass exploitation campaign. Fox-IT assessed the threat actor had exploited CVE-2023-3519 in an opportunistic manner using a script that searched for vulnerable devices and dropped a Web shell on them. “The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted,” Fox-IT warned. “At the time of writing, more than 1,900 NetScalers remain backdoored.”
The security vendor recommends that organizations do an indicator-of-compromise check on NetScaler devices even if they have applied Citrix’s patch for the flaw.
On Aug. 7, the nonprofit Shadowserver Foundation, which tracks and monitors malicious Internet activity, said it had identified at least three separate campaigns targeting CVE-2023-3519. Two of the campaigns involved the threat actor dropping a PHP Web shell on a vulnerable host, while the third involved the attacker executing malicious commands at the root level via a Web shell. The Foundation said its telemetry showed at least 7,000 NetScaler hosts worldwide as being vulnerable to exploit at the time.
Back in July, soon after Citrix disclosed the flaw, the US Cybersecurity and Infrastructure Security Agency also released a detailed advisory, which included the threat actor’s TTPs and methods for detecting exploit activity.