Unpatched Citrix NetScaler programs uncovered to the web are being focused by unknown menace actors in what’s suspected to be a ransomware assault.
Cybersecurity firm Sophos is monitoring the exercise cluster beneath the moniker STAC4663.
Attack chains contain the exploitation of CVE-2023-3519, a essential code injection vulnerability impacting NetScaler ADC and Gateway servers that might facilitate unauthenticated distant code execution.
In a single intrusion detected in mid-August 2023, the security flaw is claimed to have been used to conduct a domain-wide assault, together with injecting payloads into reputable executables such because the Home windows Replace Agent (wuauclt.exe) and the Home windows Administration Instrumentation Supplier Service (wmiprvse.exe). An evaluation of the payload is underway.
Different notable points embody the distribution of obfuscated PowerShell scripts, PHP internet shells, and the usage of an Estonian service referred to as BlueVPS for malware staging.
Sophos stated the modus operandi aligns “carefully” with that of an assault marketing campaign that NCC Group Fox-IT disclosed earlier this month through which almost 2,000 Citrix NetScaler programs had been breached.
The assaults are additionally stated to be linked to an earlier incident that used the identical strategies minus the Citrix vulnerability. Indicators of compromise (IoCs) related to the marketing campaign could be accessed right here.
“All this leads us to say it is possible that that is exercise from a identified menace actor specializing in ransomware assaults,” the corporate stated in a sequence of posts on X.
Customers of Citrix NetScaler ADC and Gateway home equipment are extremely beneficial to use the patches to mitigate potential threats.
The event comes as ransomware is on monitor to scale new highs in 2023, as menace actors are quickly escalating their assaults by harnessing security flaws in extensively used software program to breach goal environments.
This has been accompanied by a surge in cybercrime teams spawning customized ransomware strains (e.g., DoDo, Proton, and Trash Panda) in addition to transferring extra rapidly to compromise firms as soon as they’ve gained preliminary entry, a sign that the attackers are getting higher at honing their means of stealing and encrypting knowledge.
Whereas most ransomware gangs proceed to pursue double or triple extortion schemes, some teams have been noticed pivoting from encryption to an easier theft-and-extortion technique, which is known as an encryptionless extortion assault.
