Citrix NetScaler Targeted by Sophisticated Scanning Campaign

Citrix NetScaler Targeted by Sophisticated Scanning Campaign

Posted on By CWS

Key Points:

  • Sophisticated scanning campaign targets Citrix NetScaler infrastructure.
  • Over 111,834 sessions generated from more than 63,000 unique IPs.
  • Reconnaissance suggests preparation for exploiting known vulnerabilities.

Introduction to the Citrix NetScaler Campaign

A highly coordinated reconnaissance effort targeting Citrix ADC Gateway and NetScaler Gateway infrastructure was identified by the GreyNoise Global Observation Grid between January 28 and February 2, 2026. This campaign utilized residential proxy rotation and AWS-hosted scanning to uncover login panels, generating over 111,834 sessions from more than 63,000 unique IP addresses.

The targeted operation highlighted advanced capabilities in mapping infrastructure, achieving a significant 79% targeting rate against Citrix Gateway honeypots. This rate indicates deliberate reconnaissance activity rather than random opportunistic scanning.

Dual-Pronged Approach in Attack Strategy

The attack was executed using two distinct but coordinated modes: login panel discovery and version disclosure. The login panel discovery phase generated 109,942 sessions from 63,189 source IPs, mainly from residential proxies and Azure infrastructure, focusing on the /logon/LogonPoint/index.html endpoint.

In contrast, the version disclosure campaign involved 1,892 sessions from 10 AWS IP addresses, targeting the /epa/scripts/win/nsepa_setup.exe file path. These two campaigns commenced simultaneously just before February 1st, uniquely targeting Citrix infrastructure.

  • The login panel discovery mode utilized IPs distributed across various countries, complicating detection and mitigation.
  • The version disclosure campaign was concentrated in AWS regions us-west-1 and us-west-2.

Implications and Recommendations

This complex scanning operation mirrors previous tactics used in Citrix exploitation campaigns, where vulnerable instances were mapped prior to deploying exploits. A notable finding was a single Microsoft Azure Canada IP address generating 39,461 sessions, accounting for 36% of all login panel traffic.

Organizations are advised to implement immediate detection and defensive measures such as monitoring for blackbox-exporter user agents, alerting on unusual access patterns, and reviewing external Citrix Gateway exposure. Additional measures include suppressing version disclosure in HTTP responses and flagging access from unexpected geographic regions.

Conclusion

The observed reconnaissance activity is likely a precursor to exploitation attempts targeting Citrix ADC and NetScaler Gateway vulnerabilities. Organizations should remain vigilant, implementing comprehensive monitoring and defensive strategies to safeguard their infrastructure against potential breaches.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Google Vulnerability Let Attackers Access Any Google User Phone Number Google Vulnerability Let Attackers Access Any Google User Phone Number Cyber Security News
NVIDIA DGX Spark Vulnerabilities Let Attackers Execute Malicious Code and DoS Attacks NVIDIA DGX Spark Vulnerabilities Let Attackers Execute Malicious Code and DoS Attacks Cyber Security News
Akira Ransomware Allegedly Claims Theft of 23GB in Apache OpenOffice Breach Akira Ransomware Allegedly Claims Theft of 23GB in Apache OpenOffice Breach Cyber Security News
Critical Zoom Clients for Windows Vulnerability Lets Attackers Escalate Privileges Critical Zoom Clients for Windows Vulnerability Lets Attackers Escalate Privileges Cyber Security News
Hackers Use ClickFix Technique to Deploy NetSupport RAT via Compromised WordPress Sites Hackers Use ClickFix Technique to Deploy NetSupport RAT via Compromised WordPress Sites Cyber Security News
TeamViewer DEX Vulnerabilities Let Attackers Trigger DoS Attack and Expose Sensitive Data TeamViewer DEX Vulnerabilities Let Attackers Trigger DoS Attack and Expose Sensitive Data Cyber Security News