Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,493
- Points
- 113
A month and a half has already passed since the patch was released, but administrators are in no hurry to apply the update.
A group of hackers allegedly linked to FIN8 is exploiting the critical vulnerability CVE-2023-3519 in Citrix NetScaler products to attack non-updated systems around the world. This is reported by Sophos researchers, who have been tracking this malicious campaign since mid-August.
Attackers use the exploit to inject malware, deploy web shells, and run malicious PowerShell scripts on compromised machines. Sophos estimates that this activity is related to a previous campaign by the same group specializing in ransomware.
CVE-2023-3519 is a critical vulnerability in NetScaler ADC and NetScaler Gateway products that allows attackers to execute arbitrary code. It was discovered as actively exploited in mid-July of this year.
On July 18, Citrix released security updates, but even a month later, more than 31 thousand of the company's devices were still vulnerable to attacks. According to Sophos, hackers actively use the slowness of system administrators in updating software to spread malware and ransomware.
Sophos analysts claim that attackers inject payloads into files "wuauclt.exe" and "wmiprvse.exe" on hacked systems. They also use special domains and IP addresses to host and manage malware.
Similar methods were observed by Sophos in previous campaigns of the FIN8 group, which suggests the involvement of hackers from this group. FIN8 was also previously seen distributing BlackCat ransomware.
Sophos has published compromise indicators for this campaign on GitHub to help other security professionals detect and stop the threat.
If your company uses Citrix software, the best solution at the moment is to check if it has been updated to the latest version. If not, you should immediately update it manually.
Only timely response and a comprehensive approach to security will help organizations minimize the damage caused by such attacks.
A group of hackers allegedly linked to FIN8 is exploiting the critical vulnerability CVE-2023-3519 in Citrix NetScaler products to attack non-updated systems around the world. This is reported by Sophos researchers, who have been tracking this malicious campaign since mid-August.
Attackers use the exploit to inject malware, deploy web shells, and run malicious PowerShell scripts on compromised machines. Sophos estimates that this activity is related to a previous campaign by the same group specializing in ransomware.
CVE-2023-3519 is a critical vulnerability in NetScaler ADC and NetScaler Gateway products that allows attackers to execute arbitrary code. It was discovered as actively exploited in mid-July of this year.
On July 18, Citrix released security updates, but even a month later, more than 31 thousand of the company's devices were still vulnerable to attacks. According to Sophos, hackers actively use the slowness of system administrators in updating software to spread malware and ransomware.
Sophos analysts claim that attackers inject payloads into files "wuauclt.exe" and "wmiprvse.exe" on hacked systems. They also use special domains and IP addresses to host and manage malware.
Similar methods were observed by Sophos in previous campaigns of the FIN8 group, which suggests the involvement of hackers from this group. FIN8 was also previously seen distributing BlackCat ransomware.
Sophos has published compromise indicators for this campaign on GitHub to help other security professionals detect and stop the threat.
If your company uses Citrix software, the best solution at the moment is to check if it has been updated to the latest version. If not, you should immediately update it manually.
Only timely response and a comprehensive approach to security will help organizations minimize the damage caused by such attacks.
