Hackers Attacking unpatched Citrix NetScaler

Threat actors targeting unpatched Citrix NetScaler systems exposed to the internet are being tracked by Sophos X-Ops. 

As per research, the recent attacks share a similarity with attacks using CVE-20233519 delivering malware.

Citrix was discovered with a Zero-Day vulnerability on their Citrix NetScaler Application Delivery Controller (ADC) that allowed threat actors to perform remote code execution at the beginning of August.

According to a Fox-IT report earlier this month, approximately 2,000 NetScaler systems are compromised worldwide.

In mid-August, the threat actors used the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack once the targets were infected.

Later stages of that attack included behaviors such as Payload injection into wuauclt(.)exe or wmiprvse(.)exe and the use of BlueVPS ASN 62005 for malware staging.

In addition to that, they use highly obfuscated PowerShell scripts with distinctive arguments and drop randomly named PHPwebshells (/var/VPN/theme/[random].php) on victim machines. 

Citrix issued a patch for the CVE-2023-3519 issue on July 18 and has further details in their advisory.

Sophos recommends the users of  Citrix NetScaler infrastructure immediately check it for signs of compromise and also to patch the vulnerability.

Patching alone won’t address attacks already using the vulnerability to gain access to the system, so both actions are necessary for proper protection.

It also recommends defenders examine their data, particularly data from before mid-July, to see if other of these IoCs now seen in the NetScaler attacks have appeared prior to the announcement of the new vulnerability.

A list of IoCs for this case will be made available on GitHub

Indicator of compromise

sha256bb28ba8d838c8eefdd5ae1e23d5872968d84e8cb86bf292b2c3bf4c84ad7dbd0php webshell
sha256383df272841f9a677ee03f6f553bc6cf3197427d792dc9f86b7fb1911dc83d71php webshell
sha25620b375ac4487a5955d4b0dd0a600e851d1e455a30c3f8babd0e7e1e97d11a073malicious ps1
sha256857d6f7e4b96738adb9cc023e2c504362fe8b73bdce422f8f8cb791dd6ac2449php webshell
sha25694f09d01e1397ca80c71b488b8775acfe2776b5ab42e9a54547d9e5f58caf11amalicious .net DLL
sha25601717ce6fe0f79c4dc935549c516e4a1941cb4a4e84233e8fdff447177ce556ephp webshell
sha25603657d8f9dcb49a690d4b07da4f49ead58000efe458ca3ba7f878233dd25e391php webshell
sha2562d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9amalicious .net DLL

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.