Mandiant Rolls Out Scanner to Detect Compromised Citrix Devices

August 15, 2023

Mandiant has developed a scanner to determine whether a Citrix NetScaler Application Delivery Controller (ADC) or NetScaler Gateway Appliance has been compromised in extensive attacks that exploited the CVE-2023-3519 vulnerability. This critical Citrix flaw was identified in mid-July 2023 as a zero-day, with threat actors actively leveraging it to execute code remotely on vulnerable devices without authentication.

A week after Citrix released security updates to resolve the issue, Shadowserver noted that about 15,000 appliances exposed to the internet had not yet implemented the patches. However, even for those organizations that did apply the security updates, the risk of compromise persists, as the patch does not eliminate malware, backdoors, or webshells installed by the attackers during the post-compromise phase.

In response to this, Mandiant has released a scanner that allows organizations to inspect their Citrix ADC and Citrix Gateway devices for indications of compromise and post-exploitation activity. As stated in Mandiant's post, "The tool is designed to do a best effort job at identifying existing compromises. It will not identify a compromise 100% of the time, and it will not tell you if a device is vulnerable to exploitation."

The Mandiant Citrix IOC Scanner must be run directly on a device or a mounted forensic image. It scans the local filesystem and configuration files for various indicators of compromise (IOCs). Upon completion, the scanner displays a summary indicating if it found any signs of compromise.

If the device is found to be compromised, the scanner will present a detailed report listing the various IOCs detected. The scanner looks for specific IOCs on Citrix devices, which are outlined in detail.

More information on how to use the scanner tool and interpret the results can be found on Mandiant's GitHub repository for the project. If signs of compromise are detected, a comprehensive forensic examination on the affected appliances and network components is recommended to assess the scope and extent of the breach.

It's crucial to note that a negative result should not be interpreted as a guarantee that a system hasn't been compromised, as attackers can still conceal their activities and often had ample time to do so. It's advised to run the scanner on all appliances exposed to the internet that were running a vulnerable firmware version at any point. The scanner is compatible with Citrix ADC and Citrix Gateway versions 12.0, 12.1, 13.0, and 13.1.

Related News

• Critical Citrix Vulnerability Being Actively Exploited: Thousands of Instances Still at Risk
• Critical Citrix ADC Vulnerability: PoC Released for 0-day Flaw - CVE-2023-3519
• Ongoing Attacks Breach Over 640 Citrix Servers Exploiting Critical RCE Vulnerability

Latest News

• Critical Security Flaw in PostgreSQL Database System: CVE-2023-39417
• Colorado Alerts 4 Million Citizens of Data Breach Following IBM MOVEit Exploit
• Critical Remote Code Execution Vulnerability in Ghostscript: PoC Released
• Worldwide Industrial PLCs Vulnerable Due to CODESYS V3 RCE Flaws
• Dell Compellent Bug Leaves VMWare Environments Vulnerable to Attacks