Wave of Citrix NetScaler scans use thousands of residential proxies

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-scans-use-thousands-of-residential-proxies/

ONE SENTENCE SUMMARY:

A coordinated reconnaissance campaign targeted Citrix NetScaler using proxies to discover login panels, indicating organized pre-exploitation mapping efforts.

MAIN POINTS:

1. Tens of thousands of residential proxies targeted Citrix NetScaler infrastructure to find login panels from January 28-February 2.
2. Activity involved over 63,000 IPs launching 111,834 sessions, mostly targeting Citrix Gateway honeypots.
3. 64% of traffic originated from residential proxies, appearing as legitimate ISP traffic.
4. The scanning targeted version-specific exploit development by focusing on Citrix ADC weaknesses.
5. Most active reconnaissance generated 109,942 sessions targeting ‘/logon/LogonPoint/index.html’.
6. A focused six-hour activity launched 1,892 sessions to enumerate Citrix versions via EPA artifacts.
7. Attackers used an outdated Chrome 50 user agent indicating potential version-specific interest.
8. Recent critical Citrix vulnerabilities include CVE-2025-5777 (‘CitrixBleed 2’) and CVE-2025-5775.
9. Detection opportunities include monitoring outdated browser fingerprints and unauthorized access attempts.
10. Recommendations include reviewing necessity of internet-facing Citrix Gateways and restricting /epa/scripts/ access.

TAKEAWAYS:

1. Use residential proxies to evade reputation-based filters in reconnaissance activities.
2. Focus reconnaissance on specific product weaknesses for potential exploit development.
3. Monitor for unusual access patterns and outdated browser fingerprints.
4. Restrict unnecessary internet exposure of Citrix systems to reduce vulnerabilities.
5. Employ automated workflows to handle modern IT infrastructure pace efficiently.