A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure over the past week used tens of thousands of residential proxies to discover login panels.
The activity was observed between January 28 and February 2, and it also focused on enumerating versions of the product, indicating an organized discovery effort.
Threat monitoring platform GreyNoise traced the source of the scanning traffic to more than 63,000 distinct IPs that launched 111,834 sessions. According to the researchers, 79% of the traffic was aimed at Citrix Gateway honeypots.
Roughly 64% of the traffic came from residential proxies, with IPs spread across the globe, appearing as legitimate consumer ISP addresses and bypassing reputation-based filtering. The remaining 36% came from a single Azure IP address.
The activity strongly indicates pre-exploitation infrastructure mapping, rather than random internet scanning, GreyNoise says.
"The specific targeting of the EPA [Endpoint Analysis] setup file path suggests interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses."
Observed reconnaissance activity
Source: GreyNoise
The two indicators of malicious intent are obvious, with the most active one generating 109,942 sessions from 63,189 unique IPs and targeting the authentication interface at ‘/logon/LogonPoint/index.html’ to identify exposed Citrix login panels at scale.
The second indicator, observed on February 1st, was a six-hour sprint with 10 IPs launching 1,892 sessions focused on the URL path ‘/epa/scripts/win/nsepa_setup.exe’ to enumerate Citrix versions via EPA artifacts.
... continue reading