A risk actor believed to be tied to the FIN8 hacking group exploits the CVE-2023-3519 distant code execution flaw to compromise unpatched Citrix NetScaler programs in domain-wide assaults.
Sophos has been monitoring this marketing campaign since mid-August, reporting that the risk actor performs payload injections, makes use of BlueVPS for malware stating, deploys obfuscated PowerShell scripts, and drops PHP webshells on sufferer machines.
Resemblances to a different assault that Sophos analysts noticed earlier in the summertime have led the analysts to infer that the 2 actions are linked, with the risk actor specializing in ransomware assaults.
Assaults on Citrix
CVE-2023-3519 is a critical-severity (CVSS rating: 9.8) code injection flaw in Citrix NetScaler ADC and NetScaler Gateway, found as an actively exploited zero-day in mid-July 2023.
The seller launched safety updates for the issue on July 18th, however there was proof that cybercriminals have been allegedly promoting an exploit for the flaw since not less than July sixth, 2023.
By August 2nd, Shadowserver reported discovering 640 webshells in an equal variety of compromised Citrix servers, and two weeks later, Fox-IT raised that quantity to 1,952.
By mid-August, over 31,000 Citrix NetScaler situations remained susceptible to CVE-2023-3519, greater than a month after the safety replace was made accessible, giving risk actors loads of alternative for assaults.
Sophos X-Ops now experiences {that a} risk actor it tracks as ‘STAC4663’ is exploiting CVE-2023-3519, which the researchers consider is a part of the identical marketing campaign Fox-IT reported about earlier this month.
The payload delivered within the current assaults, which is injected into “wuauclt.exe” or “wmiprvse.exe,” continues to be being analyzed. Nonetheless, Sophos believes it’s a part of a ransomware assault chain primarily based on the attacker’s profile.
Sophos informed BleepingComputer that the marketing campaign is assessed with average confidence to be linked the FIN8 hacking group, which was lately seen deploying the BlackCat/ALPHV ransomware.
This assumption and the correlation to the ransomware actor’s earlier marketing campaign are primarily based on area discovery, plink, BlueVPS internet hosting, uncommon PowerShell scripting, and the PuTTY Safe Copy [pscp].
Lastly, the attackers use a C2 IP handle (45.66.248[.]189) for malware staging and a second C2 IP handle (85.239.53[.]49) responding to the identical C2 software program as within the earlier marketing campaign.
Sophos has revealed an inventory of IoCs (indicators of compromise) for this marketing campaign on GitHub to assist defenders detect and cease the risk.
When you have not utilized the safety updates on Citrix ADC and Gateway home equipment, observe the really useful actions on the vendor’s safety bulletin.
