HQ/EMEAFind out how we can help your business
The FIN8 ransomware group is allegedly the threat actor that exploits the CVE-2023-3519 RCE flaw to compromise unpatched Citrix NetScaler systems. A security researcher has been observing the campaign this month, reporting that the attackers execute payload injections, leverage BlueVPS for malware stating, launch obfuscated PowerShell scripts, and deploy PHP webshells on targeted devices.
The researchers noticed that the recent campaign has similarities to a previous attack, which led them to decide that the two incidents have connections. Moreover, the researchers emphasised that the operators are well-versed in ransomware campaigns.
The bug in Citrix NetScaler has a critical severity rating.
Based on reports, the Citrix NetScaler bug (CVE-2023-3519) has a severity score of 9.8. The flaw is a code injection flaw that a group of threat actors have been exploiting since last month.
The vendor rolled out the security updates for the flaw, but investigations have found evidence of threat actors selling the exploit for the vulnerability since July 6th.
Additionally, numerous reports of compromised Citrix servers surfaced during the first weeks of August. The compromised servers swelled and reached nearly 2,000 infected devices.
By mid-August, over 31,000 Citrix NetScaler instances remained vulnerable to CVE-2023-3519, more than a month after the security update was made available, giving threat actors plenty of opportunity for attacks.
The recent analysis believes that the attackers inject the payload into the “wuauclt.exe” or “wmiprvse.exe,” to start the campaign. In addition, the attack is allegedly part of a ransomware attack chain.
The researcher highlighted that their assessment had linked the campaign to the FIN8 hacking group, which recently launched the ALPHV ransomware. These conclusions and suspicions of the ransomware actor’s identity are based on the researchers’ domain discovery, BlueVPS hosting, PuTTY Secure Copy, plink, and unusual PowerShell scripting.
Researchers noticed that the operators utilise a command-and-control IP address for malware staging and a second C2 IP address that responds to the same C2 software in a previous campaign.
Cybersecurity experts explained that the prevention is still in the hands of device users if they do not update Citrix NetScaler. The bug will still attract attackers; hence, it is essential to employ the patches.
