Vulnerable Citrix NetScaler systems targeted by FIN8-linked attacker

Domain-wide cyberattacks have been deployed by suspected FIN8 hacking operation-linked threat actor STAC4663 against Citrix NetScaler systems vulnerable to the critical remote code execution flaw, tracked as CVE-2023-3519, BleepingComputer reports. Aside from conducting payload injections and PHP webshell deployment, STAC4663 has also leveraged BlueVPS hosting, domain discovery, atypical PowerShell scripting, plink, and the PuTTY Secure Copy in its attacks against Citrix NetScaler ADC and NetScaler ADC instances, establishing a correlation between the intrusions and prior NetScaler attacks by the FIN8 hacking group initially reported by Fox-IT, according to Sophos X-Ops researchers. Attacks also involved the utilization of two different command-and-control IP addresses, the first of which was used for malware staging, while the second was observed to be used to respond to the C2 software leveraged in the prior NetScaler attack campaign. Immediate patching has been urged by Sophos researchers, who also issued an indicators of compromise list to better avert potential attacks.