A menace actor believed to be tied to the FIN8 hacking group exploits the CVE-2023-3519 distant code execution flaw to compromise unpatched Citrix NetScaler techniques in domain-wide assaults.
Sophos has been monitoring this marketing campaign since mid-August, reporting that the menace actor performs payload injections, makes use of BlueVPS for malware stating, deploys obfuscated PowerShell scripts, and drops PHP webshells on sufferer machines.
Resemblances to a different assault that Sophos analysts noticed earlier in the summertime have led the analysts to infer that the 2 actions are linked, with the menace actor specializing in ransomware assaults.
Assaults on Citrix
CVE-2023-3519 is a critical-severity (CVSS rating: 9.8) code injection flaw in Citrix NetScaler ADC and NetScaler Gateway, found as an actively exploited zero-day in mid-July 2023.
The seller launched safety updates for the issue on July 18th, however there was proof that cybercriminals had been allegedly promoting an exploit for the flaw since at the least July sixth, 2023.
By August 2nd, Shadowserver reported discovering 640 webshells in an equal variety of compromised Citrix servers, and two weeks later, Fox-IT raised that quantity to 1,952.
By mid-August, over 31,000 Citrix NetScaler situations remained weak to CVE-2023-3519, greater than a month after the safety replace was made accessible, giving menace actors loads of alternative for assaults.
Sophos X-Ops now reviews {that a} menace actor it tracks as ‘STAC4663’ is exploiting CVE-2023-3519, which the researchers consider is a part of the identical marketing campaign Fox-IT reported about earlier this month.
The payload delivered within the latest assaults, which is injected into “wuauclt.exe” or “wmiprvse.exe,” remains to be being analyzed. Nonetheless, Sophos believes it’s a part of a ransomware assault chain based mostly on the attacker’s profile.
Sophos advised BleepingComputer that the marketing campaign is assessed with reasonable confidence to be linked the FIN8 hacking group, which was just lately seen deploying the BlackCat/ALPHV ransomware.
This assumption and the correlation to the ransomware actor’s earlier marketing campaign are based mostly on area discovery, plink, BlueVPS internet hosting, uncommon PowerShell scripting, and the PuTTY Safe Copy [pscp].
Lastly, the attackers use a C2 IP deal with (45.66.248[.]189) for malware staging and a second C2 IP deal with (85.239.53[.]49) responding to the identical C2 software program as within the earlier marketing campaign.
Sophos has revealed a listing of IoCs (indicators of compromise) for this marketing campaign on GitHub to assist defenders detect and cease the menace.
When you have not utilized the safety updates on Citrix ADC and Gateway home equipment, observe the really useful actions on the vendor’s safety bulletin.