Security researchers at Sophos shared some details along with Indicators of Compromise (IoCs) on a mass-exploitation campaign targeting vulnerable Citrix NetScaler instances.
The campaign observed in mid-August involves the attackers taking advantage of a remote code execution flaw (CVE-2023-3519) in unpatched Citrix NetScaler systems to drop PHP shells on victim machines.
CVE-2023-3519 is a code injection flaw that can lead to remote code execution. The vulnerability exists due to improper input validation when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. A remote non-authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
The attacks appear to be part of a large-scale hacking campaign observed by researchers at cybersecurity outfit Fox IT owned by the British information assurance firm NCC Group earlier this month.
Citrix released security updates addressing CVE-2023-3519 were released by the vendor in mid-July, however, evidence suggested that cybercrooks had been selling an exploit for the flaw since at least July 6.
Sophos has linked the attacks to a threat actor it tracks as ‘STAC4663’ believed to be associated with the financially-motivated FIN8 cybercrime group. In July, the group was seen using an updated version of the Sardonic backdoor to deploy the BlackCat (ALPH, Noberus) ransomware.