Citrix NetScaler ADC and NetScaler Gateway are facing an increased risk of opportunistic attacks by a ransomware group with possible ties to the financially motivated FIN8 threat actor. The vulnerability, known as CVE-2023-3519, is classified as a critical code injection vulnerability and affects multiple versions of Citrix’ application delivery, load balancing, and remote access technologies. These NetScaler products are frequently targeted by attackers because of the high-level access they provide to targeted networks. Many organizations use gateway technologies like these to enable secure access to enterprise applications and data for remote workers.
CVE-2023-3519 allows an unauthenticated remote attacker to execute arbitrary code on affected systems. This vulnerability has a near maximum severity rating of 9.8 out of 10 on the CVSS vulnerability rating scale. Attackers can exploit this vulnerability on any affected NetScaler system configured as a VPN virtual server, ICA proxy, RDP proxy, or an authentication, authorization, and accounting (AAA) server.
Citrix first disclosed the flaw on July 18 after observing active exploitations. They immediately recommended that organizations update their systems to patched versions of the software. Since the disclosure, multiple vendors have reported seeing malicious activity targeting the vulnerability.
Sophos, one of these vendors, recently reported that they observed a threat actor using the vulnerability as a code-injection tool to conduct a domain-wide attack in mid-August. In this attack, the threat actor injected malicious payloads into legitimate Windows processes like “wuauclt.exe” and “wmiprvse.exe”. Sophos also found that the threat actor used obfuscated PowerShell scripts and dropped randomly named PHP Web shells on victim systems. These Web shells allow adversaries to remotely execute system-level commands on Web servers.
The TTPs used in the mid-August attacks align with previous attacks Sophos had observed earlier this summer, which did not involve CVE-2023-3519. This discovery led Sophos to conclude that a known threat actor specializing in ransomware distribution is likely behind the latest attacks. Christopher Budd, the director of threat intelligence at Sophos, stated that the detected activity overlaps with other published activity associated with FIN8. FIN8 is a financially motivated threat group that has been operating since at least 2016 and has targeted organizations across multiple sectors.
Other reports have also highlighted malicious activity targeting Citrix ADC and Gateway products. Fox-IT reported observing over 1,900 backdoored Citrix NetScaler devices globally in a mass exploitation campaign. The threat actor in this campaign exploited CVE-2023-3519 and dropped a Web shell on vulnerable devices. The Shadowserver Foundation, a nonprofit organization monitoring malicious Internet activity, identified at least three separate campaigns targeting the vulnerability. These campaigns involved the dropping of PHP Web shells or executing malicious commands at the root level via a Web shell.
To mitigate the risk, organizations are advised to check for indicators of compromise on their NetScaler devices, even if they have already applied Citrix’s patch for the vulnerability. The US Cybersecurity and Infrastructure Security Agency also released a detailed advisory in July that included information on the threat actor’s TTPs and methods for detecting exploit activity.
Overall, the exploitation of CVE-2023-3519 poses a significant threat to organizations using Citrix NetScaler ADC and NetScaler Gateway. It is crucial for organizations to promptly update their systems and remain vigilant for any suspicious activity that might indicate an attack.