Attacks on Citrix NetScaler systems linked to ransomware actor

Cyber Security Threat Summary:
According to Sophos, an unknown threat actor believed to be linked to the FIN8 hacking group, has been exploiting a critical remote code execution flaw (CVE-2023-3519) to compromise unpatched Citrix NetScaler systems in domain-wide attacks. Since mid-August, the threat actor has been observed using the exploit to deploy obfuscated Powershell scripts and PHP webshells and stage malware on victims’ systems using an Estonian service called BlueVPS. This activity is similar to another attack that Sophos observed earlier in the summer, leading analysts to deduce that the two activities are similar, with the threat actor specializing in ransomware attacks.

“Sophos told BleepingComputer that the campaign is assessed with moderate confidence to be linked the FIN8 hacking group, which was recently seen deploying the BlackCat/ALPHV ransomware. This assumption and the correlation to the ransomware actor's previous campaign are based on domain discovery, plink, BlueVPS hosting, unusual PowerShell scripting, and the PuTTY Secure Copy [pscp]. Finally, the attackers use a C2 IP address (45.66.248[.]189) for malware staging and a second C2 IP address (85.239.53[.]49) responding to the same C2 software as in the previous campaign” (Bleeping computer, 2023).

Security Officer Comments:
The actors were observed injecting the payloads into legitimate processes such as the Windows Update Agent (wuauclt[.]exe) and the Windows Management Instrumentation Provider Service (wmiprvse[.]exe). This is a common tactic employed by actors to evade detection and scanning from anti-virus solutions. Researchers have yet to identify what payloads were used by the actor, as the binaries are still being analyzed. However, they suspect that the payloads are deployed as part of a ransomware attack chain based on the attacker’s profile.

Suggested Correction(s):
Sophos has published a list of IoCs (indicators of compromise) for this campaign on GitHub to help defenders detect and stop the threat. If you have not applied the security updates on Citrix ADC and Gateway appliances, follow the recommended actions on the vendor's security bulletin.