Ransomware group exploits Citrix NetScaler systems for initial access

A known threat actor specializing in ransomware attacks is believed to be behind a recent campaign that targeted unpatched internet-facing Citrix NetScaler systems to serve as an initial foothold into enterprise networks.

Citrix NetScaler ransomware

“Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs,” Sophos researchers shared.

Citrix systems under attack

In mid-July 2023, a zero-day remote code execution (RCE) vulnerability (CVE-2023-3519) started getting exploited in the wild. Citrix released fixes for it on July 18, and urged customers to patch their installations and check for indicators of compromise.

It was later discovered that exploits for the bug had been available for purchase on the dark web some time prior to the first attacks.

Earlier this month, Fox-IT revealed that there are over 1,200 NetScaler devices out there that are compromised with installed webshells even though they have been patched for CVE-2023-3519.

Attack attribution

Sophos researchers have been monitoring an attack campaign since mid-August and discovered that the attackers leveraged CVE-2023-3519 to conduct attacks on unpatched Citrix NetScaler systems.

During the later stages, attackers deployed payload injections, used BlueVPS ASN 62005 for malware staging, highly obfuscated PowerShell scripts, and dropped randomly named PHP webshells on victim machines.

“The injected payload for the attack we saw involving Citrix is still under analysis. However, earlier in the summer, we saw activity in a second case that bore a strong resemblance to this case,” the Sophos X-Ops team noted.

“It didn’t involve the Citrix vuln but used some of the same TTPs (domain discovery, plink, BlueVPS hosting, unusual PowerShell scripting, use of PuTTY Secure Copy [pscp]) in very similar ways, along with a second C2 IP address (85.239.53[.]49) responding to the same C2 software.”

All this led them to believe the activities had been conducted by the same threat actor, which specializes in ransomware attacks.

The team has published indicators of compromise (IoCs) on GitHub and urges anyone with Citrix NetScaler infrastructure to check it for signs of compromise and patch the vulnerability (if they haven’t already).

“We also advise defenders to examine their data, particularly data from before mid-July, to see if other of these IoCs now seen in the NetScaler attacks have appeared prior to announcement of the new vulnerability,” they added.

Don't miss