Citrix NetScaler Targeted by Sophisticated Scanning Campaign

Citrix NetScaler Targeted by Sophisticated Scanning Campaign

Posted on By CWS

Key Points:

  • Sophisticated scanning campaign targets Citrix NetScaler infrastructure.
  • Over 111,834 sessions generated from more than 63,000 unique IPs.
  • Reconnaissance suggests preparation for exploiting known vulnerabilities.

Introduction to the Citrix NetScaler Campaign

A highly coordinated reconnaissance effort targeting Citrix ADC Gateway and NetScaler Gateway infrastructure was identified by the GreyNoise Global Observation Grid between January 28 and February 2, 2026. This campaign utilized residential proxy rotation and AWS-hosted scanning to uncover login panels, generating over 111,834 sessions from more than 63,000 unique IP addresses.

The targeted operation highlighted advanced capabilities in mapping infrastructure, achieving a significant 79% targeting rate against Citrix Gateway honeypots. This rate indicates deliberate reconnaissance activity rather than random opportunistic scanning.

Dual-Pronged Approach in Attack Strategy

The attack was executed using two distinct but coordinated modes: login panel discovery and version disclosure. The login panel discovery phase generated 109,942 sessions from 63,189 source IPs, mainly from residential proxies and Azure infrastructure, focusing on the /logon/LogonPoint/index.html endpoint.

In contrast, the version disclosure campaign involved 1,892 sessions from 10 AWS IP addresses, targeting the /epa/scripts/win/nsepa_setup.exe file path. These two campaigns commenced simultaneously just before February 1st, uniquely targeting Citrix infrastructure.

  • The login panel discovery mode utilized IPs distributed across various countries, complicating detection and mitigation.
  • The version disclosure campaign was concentrated in AWS regions us-west-1 and us-west-2.

Implications and Recommendations

This complex scanning operation mirrors previous tactics used in Citrix exploitation campaigns, where vulnerable instances were mapped prior to deploying exploits. A notable finding was a single Microsoft Azure Canada IP address generating 39,461 sessions, accounting for 36% of all login panel traffic.

Organizations are advised to implement immediate detection and defensive measures such as monitoring for blackbox-exporter user agents, alerting on unusual access patterns, and reviewing external Citrix Gateway exposure. Additional measures include suppressing version disclosure in HTTP responses and flagging access from unexpected geographic regions.

Conclusion

The observed reconnaissance activity is likely a precursor to exploitation attempts targeting Citrix ADC and NetScaler Gateway vulnerabilities. Organizations should remain vigilant, implementing comprehensive monitoring and defensive strategies to safeguard their infrastructure against potential breaches.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Windows Heap-based Buffer Overflow Vulnerability Let Attackers Elevate Privileges Windows Heap-based Buffer Overflow Vulnerability Let Attackers Elevate Privileges Cyber Security News
Multiple Critical Vulnerabilities in D-Link Routers Let Attackers Execute Arbitrary Code Remotely Multiple Critical Vulnerabilities in D-Link Routers Let Attackers Execute Arbitrary Code Remotely Cyber Security News
Threat Actors Allegedly Selling Microsoft Office 0-Day RCE Vulnerability on Hacking Forums Threat Actors Allegedly Selling Microsoft Office 0-Day RCE Vulnerability on Hacking Forums Cyber Security News
RainyDay, Turian and Naikon Malwares Abuse DLL Search Order to Execute Malicious Loaders RainyDay, Turian and Naikon Malwares Abuse DLL Search Order to Execute Malicious Loaders Cyber Security News
Samsung Zero-Day Vulnerability Actively Exploited to Execute Remote Code Samsung Zero-Day Vulnerability Actively Exploited to Execute Remote Code Cyber Security News
New Black-Hat AI Tool Used by Hackers to Launch Cyberattacks New Black-Hat AI Tool Used by Hackers to Launch Cyberattacks Cyber Security News