A ransomware actor has been exploiting a critical vulnerability in Citrix NetScaler systems to inject malicious code and deploy web shells, according to security researchers. The vulnerability, CVE-2023-3519, allows unauthenticated remote code execution and affects Citrix NetScaler ADC and Gateway servers.
Sophos links STAC4663 to Citrix attacks
Sophos X-Ops, a threat intelligence team from the security firm Sophos, reported that a threat actor they track as STAC4663 is behind some of the recent attacks on Citrix NetScaler systems. The researchers believe that this actor is part of the same campaign that Fox-IT, a Dutch cybersecurity company, disclosed earlier this month.
According to Sophos, STAC4663 exploits CVE-2023-3519 to inject a payload into “wuauclt.exe” or “wmiprvse.exe” processes on the compromised servers. The payload is still being analyzed, but it appears to be a web shell that allows the attacker to execute commands and upload files on the server. The web shell also communicates with a command-and-control server hosted on Tor.
Hundreds of Citrix servers hacked in major campaign
The Shadowserver Foundation, a non-profit organization that tracks cyber threats, revealed that hundreds of Citrix NetScaler servers have been breached by malicious actors using CVE-2023-3519. The organization scanned more than 100,000 Citrix servers and found that 2,000 of them had web shells installed.
The Shadowserver Foundation also shared indicators of compromise (IOCs) and mitigation advice for the affected servers. The organization urged Citrix users to patch their systems as soon as possible and check for signs of compromise.
Ransomware implications of Citrix attacks
The exploitation of CVE-2023-3519 in Citrix NetScaler systems could have serious ransomware implications, as the attackers could use the web shells to spread laterally across the network and encrypt data. In fact, some sources in the infosec community have reported that hacker groups have used this vulnerability to deploy ransomware on unpatched Citrix servers.
Citrix is a popular platform for delivering applications and virtual desktops to remote workers, especially in the wake of the COVID-19 pandemic. Therefore, any disruption or data loss caused by ransomware could have a significant impact on the business continuity and productivity of many organizations.
Citrix has issued patches and mitigations for CVE-2023-3519 since January 2023 and has advised its customers to apply them as soon as possible. The company has also published a blog post on how to prepare for and respond to ransomware attacks.
