Unpatched Citrix NetScaler systems are compromised in domain-wide attacks by a threat actor believed to be linked with the FIN8 hacker organisation exploiting the CVE-2023-3519 remote code execution vulnerability.
Sophos has been keeping an eye on this campaign since the middle of August, and it has learned that the threat actor executes payload injections, using BlueVPS for malware distribution, delivers obfuscated PowerShell scripts, and drops PHP webshells on victim machines.
The similarities to another operation spotted earlier this summer by Sophos experts have led the analysts to conclude that the two actions are linked, with the threat actor specialising in ransomware attacks.
CVE-2023-3519 is a critical-severity (CVSS score: 9.8) code injection vulnerability in Citrix NetScaler ADC and NetScaler Gateway that was identified in mid-July 2023 as an actively exploited zero-day.
The vendor issued security upgrades to address the issue on July 18th. However, there was evidence that fraudsters were allegedly selling an exploit for the bug since at least July 6th, 2023.
Shadowserver reported finding 640 webshells in an equivalent number of infected Citrix servers on August 2nd, and Fox-IT increased that total to 1,952 two weeks later.
More than a month after the security upgrade became available in mid-August, approximately 31,000 Citrix NetScaler instances still had CVE-2023-3519 vulnerabilities, offering threat actors plenty of room for attacks.
A threat actor identified by Sophos X-Ops as "STAC4663" is reportedly exploiting CVE-2023-3519, and the researchers believe that this is a part of the same campaign that Fox-IT previously reported on earlier this month.
Analysis of the recent attacks' payload, which is injected into "wuauclt.exe" or "wmiprvse.exe," is still ongoing. However, Sophos believes that it is a link in a chain of ransomware attacks based on the attacker's profile.
According to Sophos, the campaign is possibly linked to the FIN8 hacker gang, which was recently identified as delivering the BlackCat/ALPHV ransomware.
This assumption and the link to the previous campaign of the ransomware actor are based on domain discovery, plink, BlueVPS hosting, unique PowerShell scripting, and the PuTTY Secure Copy [pscp].
Finally, the attackers employ a C2 IP address (45.66.248[.]189) for malware staging, as well as a second C2 IP address (85.239.53[.]49) that responds to the same C2 software as in the prior campaign. To assist defenders in detecting and stopping the attack, Sophos has published a list of IoCs (indicators of compromise) for this campaign on GitHub.