Ransomware Actor Exploits Vulnerabilities in Citrix NetScaler Systems

Credit by FreePik

VTA-004459 – Ransomware Actor Exploits Vulnerabilities in Citrix NetScaler Systems

A threat actor believed to be tied to the FIN8 hacking group has been exploiting the CVE-2023-3519 remote code execution flaw to compromise unpatched Citrix NetScaler systems in domain-wide attacks. Cybersecurity experts at Sophos X-Ops have uncovered a wave of attacks targeting unpatched Citrix NetScaler systems exposed to the internet. The flaw, tracked as CVE-2023-3519, affects Citrix NetScaler Application Delivery Controller and NetScaler Gateway devices.

The threat actor performs payload injections, uses BlueVPS for malware stating, deploys obfuscated PowerShell scripts, and drops PHP webshells on victim machines. The threat actor specializes in ransomware attacks and is believed to be behind a campaign that targeted unpatched Citrix NetScaler systems. The threat actor has been tracked by Sophos X-Ops since mid-August.

By August 2nd, Shadowserver reported discovering 640 webshells in an equal number of compromised Citrix servers, and two weeks later, Fox-IT raised that number to 1,952. By mid-August, over 31,000 Citrix NetScaler instances remained exposed to the internet. The attacks have the potential to cause significant damage to organizations that rely on Citrix NetScaler systems.


Attack Surfaces:
Cloud Service, Infrastructure, Others, Remote Access Service

Command and Control, Credential Access, Initial Access, Reconnaissance

T1592 – Gather Victim Host Information: Software
T1588 – Obtain Capabilities: Vulnerabilities
T1190 – Exploit Public-Facing Application
T1059 – Command and Scripting Interpreter: PowerShell
T1486 – Data Encrypted for Impact

Indicator or Compromise:


SuperPRO’s Threat Countermeasures Procedures: 
1. Keep all software and systems up to date with the latest patches and updates to minimize the risk of exploitation.
2. Provide cybersecurity awareness training to employees to educate them about the risks of phishing attacks and social engineering techniques.
3. Regularly backup critical data and ensure that backups are stored securely.
4. Employ strong security measures such as firewalls, intrusion detection systems, and antivirus software to detect and prevent unauthorized access and malware infections.
5. Divide your network into smaller, isolated segments, each with its own set of security controls. This helps to contain the impact of a potential breach and limits an attacker’s ability to move laterally.
6. Follow least privilege access in granting access only to the resources and systems that are necessary for each user or system.
7. Deploy security tools such as SIEM (Security Information and Event Management) to detect and analyze network traffic.
8. Enforce strong access controls, including multi-factor authentication and strong passwords, to prevent unauthorized access to systems and resources.
9. Regularly perform penetration testing to identify any vulnerabilities or weaknesses in your network.

Contributed by: Varrumen