Unpatched Citrix NetScaler Devices Under Attack, Connected to FIN8

Diving into details

• The vulnerability under abuse in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2023-3519, was discovered as an actively exploited zero-day in mid-July 2023.
• The security flaw  allows for remote code execution as it impacts various versions of Citrix technologies related to application delivery, load balancing, and remote access.
• Over 31,000 Citrix NetScaler instances are still vulnerable to the flaw, despite security updates being available for over a month.

Modus operandi

• One was "wuauclt.exe," a legitimate component linked to the Windows Update client, and the other was "wmiprvse.exe," which serves as the host process for the Windows Management Instrumentation (WMI) service. 
• The threat actor, furthermore, employed intricately concealed PowerShell scripts as a part of the attack strategy. 
• The attacker, futher, deposited multiple PHP webshells with randomly generated names on the systems of victims. 
• These webshells grant unauthorized parties a means to remotely execute commands at the system level on web servers.

Attribution to FIN8

• Sophos identified similar TTPs used by a threat actor as those observed in attacks earlier during the summer. These earlier attacks did not involve the CVE-2023-3519 vulnerability. 
• The similarities extend to the utilization of the same malicious infrastructure, hosting services, unique PowerShell scripts, and the adoption of the PuTTY Secure Copy Protocol for file transfers. 
• These activities show parallels with previously attributed FIN8 activities. The attacks were noticed before the exploitation of the Citrix vulnerability, which was integrated into the attack approach around mid-August.

The bottom line