FIN8-linked actor targets Citrix NetScaler systems

A financially motivated actor linked to the FIN8 group exploits the CVE-2023-3519 RCE in attacks on Citrix NetScaler systems in massive attacks.

Sophos X-Ops is tracking an ongoing campaign, which is targeting Citrix NetScaler systems, conducted by threat actors linked to the FIN8 group [BleepingComputer, SOCRadar]. The hackers are exploiting the remote code execution, tracked as CVE-2023-3519, in a large-scale campaign.

The flaw CVE-2023-3519 (CVSS score: 9.8) is a code injection that could result in unauthenticated remote code execution. Exploits for this vulnerability have been observed in attacks against unmitigated appliances. Citrix reported that successful exploitation requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

Sophos started monitoring this campaign in mid-August when they first spotted threat actors infecting a target system using the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack.

The attackers use highly obfuscated PowerShell scripts called with distinctive arguments, they were also spotted dropping randomly named PHP webshells (/var/vpn/theme/[random].php) on victim machines.

“The injected payload for the attack we saw involving Citrix is still under analysis. However, earlier in the summer, we saw activity in a second case that bore a strong resemblance to this case.” continues Sophos.

In July, the U.S. CISA revealed that threat actors are exploiting the vulnerability to drop web shells on vulnerable systems.

CISA did not attribute the attack to a specific threat actor. The attackers exploited the flaw to deploy the the webshell that was used to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The threat actors attempted to move laterally to a domain controller, but CISA pointed out that network-segmentation controls for the appliance blocked movement.

The attackers obtained encrypted passwords from NetScaler ADC configuration files, and the decryption key was stored on the ADC appliance. Then threat actors sent data as an image file to a web-accessible path: 

cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.

The attackers attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup. Network-segmentation controls blocked this activity too.

In early August, security researchers from the non-profit organization Shadowserver Foundation reported that hundreds of Citrix Netscaler ADC and Gateway servers have already been compromised as part of an ongoing campaign exploiting the critical remote code execution (RCE) vulnerability CVE-2023-3519.

In an update provided by Shadowserver Foundation, the researchers from the non-profit organization confirmed that threat actors successfully installed webshells on at least 581 Citrix servers compromised by exploiting the above issue.

Earlier in the summer, Sophos saw activity that didn’t involve the Citrix vulnerability, but that shared TTP similarities (domain discovery, plink, BlueVPS hosting, unusual PowerShell scripting, use of PuTTY Secure Copy [pscp]) with attacks conducted by a known threat actor specializing in ransomware attacks.

Threat actors also use a C2 IP address (45.66.248[.]189) for malware staging and a second C2 IP (85.239.53[.]49) responding to the same C2 software. These C2 addresses were also observed in the previous ransomware attacks.

Sophos tracked these malicious activities as Threat Activity Cluster number STAC4663.

The researchers are still analyzing the payload delivered in the attacks, which is injected into “wuauclt.exe” or “wmiprvse.exe.”

“We advise anyone with Citrix NetScaler infrastructure to immediately check it for signs of compromise and also to patch the vulnerability. Patching alone won’t address attacks already using the vuln to gain access to the system so both actions are necessary for proper protection.” continues the report.

Sophos also shared a list of IoCs for this campaign:

The FIN8 group has been active since 2016, it leverages known malware such as PUNCHTRACK and BADHATCH to infect PoS systems and steal payment card data.

In the past few years, the group has been observed using a number of ransomware threats, including the Ragnar Locker ransomware (June 2021), and the White Rabbit ransomware (January 2022).

On December 2022, Symantec observed the group attempting to deploy the ALPHV/BlackCat ransomware.

Sophos has published a list of IoCs (indicators of compromise) for this campaign on GitHub to help defenders detect and stop the threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix NetScaler)