Ransomware Attack Specialist Tied to Citrix NetScaler HacksMultiple Highly Automated Campaigns Have Dropped Persistent Web Shells, Experts Say
Citrix NetScaler administrators should review logs for signs of previous compromise to ward off a suspected ransomware-wielding criminal group, warn cyber defenders who say the alert applies even to already patched appliances.
The alert comes from security firm Sophos, which has been following mass attacks that exploit a code injection flaw to drop web shells. The flaw, tracked as CVE-2023-3519, affects Citrix NetScaler Application Delivery Controller and NetScaler Gateway devices.
Web shells give attackers persistent, remote access to a server, allowing them to execute additional malicious code and target other devices inside the network. Citrix released a patch for the flaw, but experts say the fix doesn't expunge any web shells attackers may have already installed, which survive rebooting.
The latest known campaign targeting vulnerable NetScaler hosts began in mid-August and based on tactics and tooling, it appears to involve "a known threat actor specializing in ransomware attacks," Sophos said.
Efforts to identify if and when attackers might have breached and dropped a web shell on a vulnerable device will be difficult if users haven't configured customized logging. NetScaler application access logs are rotated - and thus lost - "after 24 hours unless centralized/custom logging is configured, as by default it is rotated every hour, and only 25 rotations are kept," said The Shadowserver Foundation, which scans the internet to identify and track malicious activity.
Attackers can abuse CVE-2023-3519 for unauthenticated remote code execution on a vulnerable device, Citrix first warned July 18. That's when it released patches, warning the vulnerability was already being exploited in the wild.
The U.S. Cybersecurity Infrastructure and Security Agency also warned on July 20 that attackers were exploiting "this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization's non-production environment NetScaler ADC appliance." The CISA alert includes indicators of compromise and other guidance for threat hunters.
Shadowserver reported seeing three mass exploitation campaigns targeting the flaw last month. The first began July 20. Its web shell commands appeared to come from a ProtonVPN exit node. The second ran from July 20 to 21. The third occurred on July 31 and appeared to be using ExpressVPN endpoint IP addresses as part of the attacks.
When those mass exploitation campaigns first began, NCC Group's Fox-IT said there appeared to be 31,127 Citrix hosts with the vulnerability.
The latest known mass attack campaign targeting the flaw began in mid-August and involves attackers using the vulnerability "as a code-injection tool to conduct a domain-wide attack" that appears to involve a ransomware-wielding group, Sophos said. The security firm told Bleeping Computer it has moderate confidence the attacks are linked to the financially driven FIN8 hacking group, also known as Syssphinx and White Rabbit.
In recent years, FIN8 has moved away from point-of-sale malware attacks to deploying ransomware, including since late last year BlackCat - aka Alphv - crypto-locking malware, security firm Symantec has reported.
Sophos MDR, the company's managed security and incident response service, reports seeing multiple attempts to exploit CVE-2023-3519 to breach enterprise networks to deliver ransomware.
"The attacks were stopped before the attackers could complete their attempt, but what we saw in those attempts is consistent with the activities of ransomware actors," Christopher Budd, director of threat research at Sophos X-Ops, told Information Security Media Group. "The sole CVE-2023-3519-related case we've evaluated where MDR was not involved prior to the attack was handled by our IR team. In that situation, the infection resulted in ransomware."
Web Shell Count Increases
On Aug. 7, Shadowserver recorded 600 unpatched hosts infected with web shells and an unknown number of patched hosts infected with webhosts.
As of Aug. 14, Fox-IT reported that 1,828 hosts had web shells, even though 1,248 of them had been patched to fix CVE-2023-3519. "This indicates that while most administrators were aware of the vulnerability and have since patched their NetScalers to a nonvulnerable version, they have not been - properly - checked for signs of successful exploitation," Fox-IT said.
That has led Sophos to advise all NetScaler defenders to review their logs, and "particularly data from before mid-July," in light of the latest IOCs and security researchers not knowing how long ago attackers began exploiting the flaw.
Shadowserver said many compromised devices may not yet have been used for malicious activity. "We expect these web shells to be utilized when the timing suits the attacker," it said. "This may also happen after all the initial interest has died down and system administrators/security responders are no longer looking closely at their Citrix devices."
Aug. 30, 2023 08:30 UTC: This story has been updated to include additional comments from Sophos.