Ransomware Operators Inject Payloads into Legitimate Executables via Citrix NetScaler Exploit


August 29, 2023

World map

Researchers have observed ransomware operators exploiting an unpatched Citrix NetScaler vulnerability to inject malicious payloads and allow remote code execution (RCE).

“Attack chains involve the exploitation of CVE-2023-3519, a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could facilitate unauthenticated remote code execution,” The Hacker News reports.

“In one intrusion detected in mid-August 2023, the security flaw is said to have been used to conduct a domain-wide attack, including injecting payloads into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe)."

Takeaway: Attackers are getting more efficient at exploiting vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences.  

Nowhere is this more evident than in the continued exploitation of a vulnerability in the MOVEit managed file transfer software (CVE-2023-34362) the Cl0p ransomware gang has used to compromise more than 1000 victims in rapid succession over the summer.

The wave of attacks followed another earlier in the year where Cl0p successfully compromised more than a hundred targets by exploiting a bug in the GoAnywhere file transfer tool.

Overall, the marked increase in the exploitation of vulnerabilities by ransomware gangs is evidence that criminal actors are increasingly using more complex tactics usually seen in state-supported operations versus the random ‘spray and pray’ ransomware attacks of the past.  

This mass exploitation wave is also evidence that ransomware gangs are increasingly leveraging automation to identify and target exposed organizations who have not patched against known vulnerabilities, which is why we are seeing so many new victims.

March and June of 2023 saw huge spikes in the number of successful attacks across every major industry vertical, federal agencies, and state and local governments.

The bad news is that as attackers are getting more proficient at automating aspects of the attack progression by exploiting known vulnerabilities for initial access, improving stealthy payload delivery, fine tuning evasion techniques, and exponentially improving encryption speeds, we will likely continue to see an escalation in attacks.

The good news is that given these attacks leverage exploits for well-documented vulnerabilities means we have the opportunity to detect and stop these ransomware operations earlier in the attack sequence.  

Many of the TTPs they employ are common and should help to reveal a host of detectable activity on the network that occurs long before the actual ransomware payload is delivered.

Organizations with the right controls in place stand a good chance of disrupting these attacks at initial ingress when these known exploits are likely to be used, or when the attackers begin to move laterally on the network and seek to escalate privileges.  

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.