We have recently identified another new persistent citrix netscaler credential stuffing attack against one of our customers using recently compromised credentials from users who had fallen victim to infostealers. This included one user who was only compromised a few days earlier.
There have been multiple attempts going back months. From these attempts there are several IOCs in common:
- Source IPs frequently seen: 5.45.73.13, 176.124.205.197
- UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.
The past compromised accounts attempted are all related to the customer in question.
