A group of hackers, allegedly related to FIN8, is using a critical vulnerability, known as CVE-2023-3519, in Citrix Netscaler products to launch attacks on vulnerable systems worldwide, as reported by SOPHOS researchers.
Since mid-August, SOPHOS has been tracking this harmful campaign perpetrated by the hackers who employ an exploit to introduce malicious software, expand web-shells, and launch malicious PowerShell scripts on compromised machines. Sophos has linked this activity to a previous campaign by the same group, which specializes in extortion.
CVE-2023-3519 is a critical vulnerability found in Netscaler ADC and Netscaler Gateway products that allows attackers to execute arbitrary code. The vulnerability was discovered and actively exploited in mid-July of this year.
Citrix had released security updates on July 18, but even a month later, over 31,000 devices were still susceptible to attacks. SOPHOS reports that the hackers are taking advantage of system administrators’ slowness in updating software to spread malware and launch extortion programs.
SOPHOS analysts have identified that attackers are injecting a payload into the Wuaucilt.exe and Wmiprvse.exe files on compromised systems. They are also utilizing specific domains and IP addresses to deploy and control the malicious software.
SOPHOS notes that similar techniques have been observed in previous campaigns by the Fin8 group, suggesting their involvement in this recent attack. FIN8 has previously been associated with the distribution of extortion software Blackcat.
As a part of their findings, SOPHOS has published indicators of compromise for this campaign on GITHUB to aid other security specialists in detecting and addressing the threat.
Companies that use Citrix software are advised to ensure that their systems are updated to the latest version. Immediate manual updates are recommended if the software is not up to date.
Timely response and a comprehensive security approach are crucial for organizations to minimize the damage caused by such attacks.