Security News > 2023 > August > Ransomware group exploits Citrix NetScaler systems for initial access

Ransomware group exploits Citrix NetScaler systems for initial access
2023-08-29 11:38

A known threat actor specializing in ransomware attacks is believed to be behind a recent campaign that targeted unpatched internet-facing Citrix NetScaler systems to serve as an initial foothold into enterprise networks.

"Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs," Sophos researchers shared.

Sophos researchers have been monitoring an attack campaign since mid-August and discovered that the attackers leveraged CVE-2023-3519 to conduct attacks on unpatched Citrix NetScaler systems.

"The injected payload for the attack we saw involving Citrix is still under analysis. However, earlier in the summer, we saw activity in a second case that bore a strong resemblance to this case," the Sophos X-Ops team noted.

The team has published indicators of compromise on GitHub and urges anyone with Citrix NetScaler infrastructure to check it for signs of compromise and patch the vulnerability.

"We also advise defenders to examine their data, particularly data from before mid-July, to see if other of these IoCs now seen in the NetScaler attacks have appeared prior to announcement of the new vulnerability," they added.


News URL

https://www.helpnetsecurity.com/2023/08/29/citrix-netscaler-ransomware/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-07-19 CVE-2023-3519 Code Injection vulnerability in Citrix products
Unauthenticated remote code execution
network
low complexity
citrix CWE-94
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Citrix 66 2 64 101 46 213