Threat actors are actively exploiting two zero-day vulnerabilities found in widely-used Cisco and Citrix products to deploy malware. Researchers have observed campaigns leveraging these security flaws to establish persistent network access and deploy malicious payloads such as Remote Access Trojans (RATs) and web shells.

One of the vulnerabilities, tracked as CVE-2023-20269, affects Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The second flaw, known as CVE-2023-3519 or “Citrix Bleed,” impacts Citrix Netscaler Application Delivery Controller (ADC) and Netscaler Gateway.

Cisco Vulnerability Exploited for Espionage

The campaign targeting the Cisco ASA vulnerability began in August 2023. Attackers initiated brute-force attacks against exposed devices to map out vulnerable infrastructure. Two threat actors, identified as UAT4356 and UNC3956 and suspected of being state-sponsored, were linked to these attacks. The goal of these actors was cyber-espionage, and they deployed malware designed to remain dormant until activated in mid-October 2023. Security researchers identified more than 11,000 Cisco ASA devices with the SSL VPN feature enabled, leaving them potentially exposed. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies a deadline of November 17, 2023, to apply the necessary security patches.

Citrix Bleed Leveraged by Ransomware Groups

The Citrix zero-day, CVE-2023-3519, has also seen widespread exploitation, leading CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability allows for unauthenticated remote code execution. Ransomware organizations, including the notorious LockBit group, have been observed using the Citrix Bleed flaw to deploy web shells on compromised servers. These web shells grant attackers persistent access to the compromised networks, facilitating further malicious activities. Patches for both the Cisco and Citrix vulnerabilities are currently available, and organizations are urged to apply them to mitigate the risks.

Source: https://www.techradar.com/pro/security/hackers-turn-cisco-and-citrix-zero-days-into-a-malware-nightmare