Mass recognition of Citrix ADC: residential proxies and access routes that prepare the ground for a blast

In the last week, a coordinated recognition campaign was detected that targeted Citrix NetScaler infrastructure (also known as Citrix ADC). According to the analysis published by GreyNoise, the scans were performed between January 28 and February 2 and used a tide of IP addresses to locate exposed authentication panels and collect information on product versions, which points to a mapping work prior to a possible exploitation.

The figures provided by GreyNoise are striking: More than 63,000 different IP addresses started 111,834 survey sessions, and approximately 79% of the traffic observed attacked the lures (honeypots) of Citrix Gateway. Of this volume, about 64% came from residential proxies, addresses that appear to correspond to consumers of ISP operators and that, by their appearance, easily elude filters based on reputation. The remaining 36% of the activity came from a single IP hosted in Microsoft Azure.

The patterns of the attack do not look like a random sweep. First, the vast majority of sessions focused on identifying remote access interfaces through requests to / login / LogonPoint / index.html, the typical route of the Citrix authentication panel. This mass and repeated behavior suggests a specific interest in locating large-scale exposed portals. In parallel, on February 1, an intense "sprint" of approximately six hours was observed in which a dozen PIs launched almost 1,900 sessions looking for the Endpoint Analysis installer in / epa / scripts / win / nsé _ setup.exe, which indicates an attempt to quickly identify which versions of Citrix are present and whether they contain artifacts that report their version.

Another relevant sign is the user agent's print: GreyNoise observed chains that imitated the Chrome 50 browser, an old version released in 2016. Such obsolete browser prints and the massive use of residential proxies are common techniques to make detection difficult and avoid controls that block IP addresses with bad reputation.

Why is this kind of recognition a concern? Because when an attacker accurately maps a platform and its versions, it can prepare specific exploits against known vulnerabilities. In the case of Citrix, critical gravity failures have emerged in recent months and have been exploited in the past; therefore, the detection of surveys aimed at identifying versions and routes of EPA arouses alarms about the possibility of a targeted attack being prepared. To follow the original report and its technical indicators, GreyNoise published its full analysis here: labs.greynoise.io - GreyNoise report.

The recommendations that arise from such findings are practical and range from prevention to early detection. Among the measures advised by researchers are monitoring applications using suspicious user agents (e.g. chains related to "blackbox-exporter") when they come from unauthorized origins, generating alerts to external access to / epa / scripts / win / nsé _ setup.exe and detect fast listing patterns against login routes such as / login / LogonPoint /. They also recommend monitoring HEAD requests for Citrix Gateway endpoints and paying attention to obsolete browser prints that do not fit the expected profile of legitimate users.

At the level of configuration and hardening, practical tips include reviewing whether it is really necessary to expose Citrix walkways directly to the Internet, restricting access to the directory / epa / scripts / only to managed networks, delete or reduce version information that servers return to HTTP responses and monitor unusual activity from residential ISPs located in regions where the organization has no users. GreyNoise also provided the IP addresses identified for security teams to check against their own records.

If you manage Citrix walkways or manage environments that depend on Citrix ADC, it is advisable to regularly consult the manufacturer's own safety communications and lists of known vulnerabilities. Citrix maintains a page dedicated to security warnings and updates where official patches and mitigations are published: support.citrix.com - Citrix Security. In addition, bodies that track vulnerabilities exploited in the field, such as the US Infrastructure and Cybersecurity Agency. They provide catalogues and warnings that help prioritize critical patches: CISA - Known Exploited Vulnerabilities Catalog.

What learning does this campaign leave? The lesson is double: on the one hand, attackers continue to refine their techniques to avoid being blocked with simple filters of reputation; on the other, the massive and orderly enumeration of concrete routes and artifacts reveals intentions that go beyond mere casual survey. For security equipment that means increasing telemetry over access to link doors, tuning correlation rules that detect bursts of similar requests and protecting by exposing the essential minimum to the outside.

In the end, it is not only a matter of reacting when a public exploitation appears, but of detecting and curbing the previous mapping that often precedes such attacks. Maintaining stamped systems, limiting critical service exposure and having alerts that recognize recognition patterns are simple, but effective measures to raise the cost of future attacks and reduce the likelihood of being the next target.