Citrix NetScaler Targeted by Sophisticated Scanning Campaign

Citrix NetScaler Targeted by Sophisticated Scanning Campaign

Posted on By CWS

Key Points:

  • Sophisticated scanning campaign targets Citrix NetScaler infrastructure.
  • Over 111,834 sessions generated from more than 63,000 unique IPs.
  • Reconnaissance suggests preparation for exploiting known vulnerabilities.

Introduction to the Citrix NetScaler Campaign

A highly coordinated reconnaissance effort targeting Citrix ADC Gateway and NetScaler Gateway infrastructure was identified by the GreyNoise Global Observation Grid between January 28 and February 2, 2026. This campaign utilized residential proxy rotation and AWS-hosted scanning to uncover login panels, generating over 111,834 sessions from more than 63,000 unique IP addresses.

The targeted operation highlighted advanced capabilities in mapping infrastructure, achieving a significant 79% targeting rate against Citrix Gateway honeypots. This rate indicates deliberate reconnaissance activity rather than random opportunistic scanning.

Dual-Pronged Approach in Attack Strategy

The attack was executed using two distinct but coordinated modes: login panel discovery and version disclosure. The login panel discovery phase generated 109,942 sessions from 63,189 source IPs, mainly from residential proxies and Azure infrastructure, focusing on the /logon/LogonPoint/index.html endpoint.

In contrast, the version disclosure campaign involved 1,892 sessions from 10 AWS IP addresses, targeting the /epa/scripts/win/nsepa_setup.exe file path. These two campaigns commenced simultaneously just before February 1st, uniquely targeting Citrix infrastructure.

  • The login panel discovery mode utilized IPs distributed across various countries, complicating detection and mitigation.
  • The version disclosure campaign was concentrated in AWS regions us-west-1 and us-west-2.

Implications and Recommendations

This complex scanning operation mirrors previous tactics used in Citrix exploitation campaigns, where vulnerable instances were mapped prior to deploying exploits. A notable finding was a single Microsoft Azure Canada IP address generating 39,461 sessions, accounting for 36% of all login panel traffic.

Organizations are advised to implement immediate detection and defensive measures such as monitoring for blackbox-exporter user agents, alerting on unusual access patterns, and reviewing external Citrix Gateway exposure. Additional measures include suppressing version disclosure in HTTP responses and flagging access from unexpected geographic regions.

Conclusion

The observed reconnaissance activity is likely a precursor to exploitation attempts targeting Citrix ADC and NetScaler Gateway vulnerabilities. Organizations should remain vigilant, implementing comprehensive monitoring and defensive strategies to safeguard their infrastructure against potential breaches.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Microsoft To Depreciate VBScript In Windows Warns Developers To Adapt Their Projects Microsoft To Depreciate VBScript In Windows Warns Developers To Adapt Their Projects Cyber Security News
Threat Actors Use Sophisticated Hacking Tools to Destroy Organizations Critical Infrastructure Threat Actors Use Sophisticated Hacking Tools to Destroy Organizations Critical Infrastructure Cyber Security News
TrustAsia Revoked 143 Certificates Following LiteSSL ACME Service Vulnerability TrustAsia Revoked 143 Certificates Following LiteSSL ACME Service Vulnerability Cyber Security News
New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware Cyber Security News
Windows User Account Control Bypassed Using Character Editor to Escalate Privileges Windows User Account Control Bypassed Using Character Editor to Escalate Privileges Cyber Security News
Trend Micro Apex One Vulnerability Allow Attackers to Inject Malicious Code Trend Micro Apex One Vulnerability Allow Attackers to Inject Malicious Code Cyber Security News