Unpatched Citrix NetScaler Systems Targeted
Take action: If you haven't patched your Citrix gateways because you are optimistic, now is the time to be very pessimistic. And start patching immediately. No amount of debate "we have firewalls" and "we are low risk" is going to make it better.
Unpatched instances of Citrix NetScaler systems that are accessible on the internet are currently under attack by unidentified threat actors, suspected to be orchestrating a ransomware assault. Sophos has named this campaign cluster "STAC4663" and is actively monitoring its activities.
The attack methodology involves exploiting a critical code injection vulnerability, CVE-2023-3519, which affects NetScaler ADC and Gateway servers. This vulnerability allows remote code execution without authentication. In a specific incident discovered in mid-August 2023, this security flaw was exploited to carry out a large-scale attacks. As part of this intrusion, malicious code was injected into legitimate executables like the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe). Currently, experts are engaged in analyzing the exact nature of the payload that was introduced.
Notable elements of the attack strategy include the distribution of concealed PowerShell scripts, PHP web shells, and the utilization of a cloud hosting service named BlueVPS for staging malware.
There are significant similarities between this modus operandi and a previous attack campaign that was disclosed by NCC Group Fox-IT earlier in the same month. In that incident, nearly 2,000 Citrix NetScaler systems were compromised using comparable methods. Additionally, there is a connection to an earlier attack that employed the same techniques, but not targeting the Citrix vulnerability.
Sophos has stated that the evidence points toward the high likelihood that this activity is carried out by a known threat actor specializing in ransomware attacks.
To safeguard against potential threats, users of Citrix NetScaler ADC and Gateway appliances are strongly advised to apply the necessary patches promptly.