29 August 2023

Citrix NetScaler attacks linked to a ransomware campaign


Citrix NetScaler attacks linked to a ransomware campaign

Security researchers at Sophos shared some details along with Indicators of Compromise (IoCs) on a mass-exploitation campaign targeting vulnerable Citrix NetScaler instances.

The campaign observed in mid-August involves the attackers taking advantage of a remote code execution flaw (CVE-2023-3519) in unpatched Citrix NetScaler systems to drop PHP shells on victim machines.

CVE-2023-3519 is a code injection flaw that can lead to remote code execution. The vulnerability exists due to improper input validation when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. A remote non-authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.

The attacks appear to be part of a large-scale hacking campaign observed by researchers at cybersecurity outfit Fox IT owned by the British information assurance firm NCC Group earlier this month.

Citrix released security updates addressing CVE-2023-3519 were released by the vendor in mid-July, however, evidence suggested that cybercrooks had been selling an exploit for the flaw since at least July 6.

Sophos has linked the attacks to a threat actor it tracks as ‘STAC4663’ believed to be associated with the financially-motivated FIN8 cybercrime group. In July, the group was seen using an updated version of the Sardonic backdoor to deploy the BlackCat (ALPH, Noberus) ransomware.

Back to the list

Latest Posts

Cyber Security Week in Review: November 1, 2024

Cyber Security Week in Review: November 1, 2024

In brief: Hackers are exploiting critical zero-day flaw in PTZ cameras, the Dstat.cc DDoS service disrupted by law enforcement, and more.
1 November 2024
North Korean hackers caught collaborating with Play ransomware

North Korean hackers caught collaborating with Play ransomware

The theory is that Andariel is either working as an affiliate of Play ransomware or serving as an initial access broker.
31 October 2024
Large-scale phishing campaign targeting Ukraine's taxpayers

Large-scale phishing campaign targeting Ukraine's taxpayers

The attack deploys the Litemanager RMT, which provides unauthorized access to the infected computer.
30 October 2024