Citrix NetScaler targeted by large-scale reconnaissance campaign

A coordinated reconnaissance campaign has been targeting Citrix NetScaler infrastructure over the past week, utilizing tens of thousands of residential proxies to discover login panels. The activity, observed between January 28 and February 2, also focused on enumerating product versions, indicating an organized discovery effort, with further coverage provided by Bleeping Computer.

Threat monitoring platform GreyNoise traced the scanning traffic to over 63,000 distinct IPs, with approximately 64% originating from residential proxies that bypassed reputation-based filtering. The campaign primarily targeted Citrix Gateway honeypots, with a significant portion of traffic aimed at identifying exposed login panels via the "/logon/LogonPoint/index.html" path. A secondary focus involved enumerating Citrix versions by targeting the "/epa/scripts/win/nsepa_setup.exe" URL path.

This pre-exploitation infrastructure mapping highlights the ongoing threat to widely used network appliances. Organizations are advised to review the necessity of internet-facing Citrix Gateways, restrict access to sensitive directories like "/epa/scripts/," disable version disclosure, and monitor for anomalous access patterns, particularly from residential IP ranges.

Source: Bleeping Computer