FIN8 Ransomware Group Targets Unpatched Citrix NetScaler Devices

August 29, 2023

Citrix NetScaler ADC and NetScaler Gateway devices are being targeted by a ransomware group, suspected to be linked to the financial threat actor FIN8. The attackers are exploiting an unpatched critical code injection vulnerability, CVE-2023-3519, across multiple versions of Citrix's technologies. These products are attractive to attackers due to their high-level access to targeted networks.

The vulnerability, CVE-2023-3519, allows a remote attacker to execute arbitrary code on affected systems without authentication. The severity rating of this vulnerability is 9.8 out of 10 on the CVSS scale. This vulnerability can be exploited on any NetScaler system configured as a VPN virtual server, ICA proxy, RDP proxy, or an AAA server. Citrix disclosed this flaw on July 18 and urged organizations to update their systems immediately.

Since the disclosure, numerous vendors reported malicious activity targeting the vulnerability. Sophos, in particular, observed a threat actor using the vulnerability to conduct a domain-wide attack in mid-August. The attacker injected malicious payloads into legitimate processes associated with the Windows Update client and the Windows Management Instrumentation service.

Sophos also found the threat actor using highly obfuscated PowerShell scripts and dropping several randomly named PHP Web shells on victim systems. Such Web shells allow adversaries to execute system-level commands on Web servers remotely. The tactics, techniques, and procedures used in these attacks were similar to those observed in previous attacks, leading Sophos to conclude a known ransomware-distributing threat actor is likely behind the latest attacks.

Christopher Budd, director of threat intelligence at Sophos, stated, 'Sophos has observed overlaps in this activity consistent with other published activity attributed to FIN8.' This group, operational since at least 2016, has been linked to numerous attacks across sectors like technology, financial services, retail, and hospitality. The group resurfaced in July to distribute BlackCat ransomware.

In early August, Fox-IT reported over 1,900 Citrix NetScaler devices worldwide had been backdoored in a mass exploitation campaign. The threat actor exploited CVE-2023-3519 using a script that searched for vulnerable devices and dropped a Web shell on them. Fox-IT warned that the adversary could execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted.

The Shadowserver Foundation identified three separate campaigns targeting CVE-2023-3519. Two campaigns involved the threat actor dropping a PHP Web shell on a vulnerable host, while the third saw the attacker executing malicious commands at the root level via a Web shell. The Foundation's telemetry showed at least 7,000 NetScaler hosts worldwide as being vulnerable to exploit at that time.

Related News

• Massive Hacking Campaign Targets Nearly 2,000 Citrix NetScaler Servers
• Mandiant Rolls Out Scanner to Detect Compromised Citrix Devices
• Critical Citrix Vulnerability Being Actively Exploited: Thousands of Instances Still at Risk
• Critical Citrix ADC Vulnerability: PoC Released for 0-day Flaw - CVE-2023-3519
• Ongoing Attacks Breach Over 640 Citrix Servers Exploiting Critical RCE Vulnerability

Latest News

• Critical SSH Authentication Bypass Vulnerability Detected in VMware Aria
• ClamAV Exposed to WinRAR Code Execution Vulnerability (CVE-2023-40477)
• Barracuda Zero-Day Attacks Target US Government Email Servers
• Juniper Firewall Vulnerabilities: Exploit Code Released for Remote Code Execution Attacks
• LockBit 3.0 Ransomware Builder Leaked Online: An Analysis