Security News > 2023 > August > Ransomware group exploits Citrix NetScaler systems for initial access
A known threat actor specializing in ransomware attacks is believed to be behind a recent campaign that targeted unpatched internet-facing Citrix NetScaler systems to serve as an initial foothold into enterprise networks.
"Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs," Sophos researchers shared.
Sophos researchers have been monitoring an attack campaign since mid-August and discovered that the attackers leveraged CVE-2023-3519 to conduct attacks on unpatched Citrix NetScaler systems.
"The injected payload for the attack we saw involving Citrix is still under analysis. However, earlier in the summer, we saw activity in a second case that bore a strong resemblance to this case," the Sophos X-Ops team noted.
The team has published indicators of compromise on GitHub and urges anyone with Citrix NetScaler infrastructure to check it for signs of compromise and patch the vulnerability.
"We also advise defenders to examine their data, particularly data from before mid-July, to see if other of these IoCs now seen in the NetScaler attacks have appeared prior to announcement of the new vulnerability," they added.
News URL
https://www.helpnetsecurity.com/2023/08/29/citrix-netscaler-ransomware/
Related news
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)
- HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code (source)
- Helldown ransomware exploits Zyxel VPN flaw to breach networks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-19 | CVE-2023-3519 | Code Injection vulnerability in Citrix products Unauthenticated remote code execution | 9.8 |