Threat Research

FIN8-linked actor targets Citrix NetScaler systems

Securonix

Sophos X-Ops is tracking an ongoing campaign targeting Citrix NetScaler systems linked to the FIN8 group, exploiting CVE-2023-3519 for remote code execution. Attackers drop PHP web shells and run obfuscated PowerShell scripts to conduct domain discovery and data exfiltration, while leveraging C2 infrastructure. #FIN8 #CitrixNetScaler #CVE-2023-3519 #Shadowserver #CISA

Keypoints

  • The campaign targets Citrix NetScaler appliances and leverages the critical vulnerability CVE-2023-3519 to gain initial access.
  • The vulnerability exploitation can lead to unauthenticated remote code execution on unmitigated NetScaler devices configured as Gateway or AAA servers.
  • Attackers use highly obfuscated PowerShell scripts with distinctive arguments and drop randomly named PHP web shells on victims.
  • Web shells are placed under /var/vpn/theme/[random].php to maintain access and enable further actions.
  • Campaign activities include domain discovery, Active Directory data collection/exfiltration, and attempted lateral movement to a domain controller (blocked by network segmentation).
  • Credentials from NetScaler ADC configuration files are encrypted and the decryption key is stored on the ADC; attackers exfiltrate data via web paths and monitored C2 channels.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – ‘The flaw CVE-2023-3519 (CVSS score: 9.8) is a code injection that could result in unauthenticated remote code execution.’
  • [T1059.001] PowerShell – ‘highly obfuscated PowerShell scripts called with distinctive arguments.’
  • [T1505.003] Web Shell – ‘dropping randomly named PHP webshells (/var/vpn/theme/[random].php) on victim machines.’
  • [T1087] Account Discovery – ‘discovery on the victim’s active directory (AD) and collect and exfiltrate AD data.’
  • [T1021] Lateral Movement – ‘The attackers attempted to move laterally to a domain controller, but network-segmentation controls blocked movement.’
  • [T1071.001] Web Protocols – ‘C2 IP address (45.66.248[.]189) for malware staging and a second C2 IP (85.239.53[.]49) responding to the same C2 software.’
  • [T1055] Process Injection – ‘payload is injected into “wuauclt.exe” or “wmiprvse.exe.”’
  • [T1552.001] Credentials in Files – ‘The attackers obtained encrypted passwords from NetScaler ADC configuration files, and the decryption key was stored on the ADC appliance.’

Indicators of Compromise

  • [IP] C2 addresses – 45.66.248.189, 85.239.53.49
  • [File] Webshells – /var/vpn/theme/[random].php
  • [File] Exfiltration paths – /netscaler/ns_gui/vpn/medialogininit.png
  • [File] Payload/artifacts – test.tar.gz (located in /var/tmp/)
  • [Process] Injected processes – wuauclt.exe, wmiprvse.exe
  • [CVE] CVE-2023-3519
  • [Credential] Encrypted passwords in NetScaler ADC config files (decryption key on the ADC)

Read more: https://securityaffairs.com/150028/hacking/fin8-citrix-netscaler.html?amp=1

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint