Mandiant Rolls Out Scanner to Detect Compromised Citrix Devices

August 15, 2023

Mandiant has developed a scanner to determine whether a Citrix NetScaler Application Delivery Controller (ADC) or NetScaler Gateway Appliance has been compromised in extensive attacks that exploited the CVE-2023-3519 vulnerability. This critical Citrix flaw was identified in mid-July 2023 as a zero-day, with threat actors actively leveraging it to execute code remotely on vulnerable devices without authentication.

A week after Citrix released security updates to resolve the issue, Shadowserver noted that about 15,000 appliances exposed to the internet had not yet implemented the patches. However, even for those organizations that did apply the security updates, the risk of compromise persists, as the patch does not eliminate malware, backdoors, or webshells installed by the attackers during the post-compromise phase.

In response to this, Mandiant has released a scanner that allows organizations to inspect their Citrix ADC and Citrix Gateway devices for indications of compromise and post-exploitation activity. As stated in Mandiant's post, "The tool is designed to do a best effort job at identifying existing compromises. It will not identify a compromise 100% of the time, and it will not tell you if a device is vulnerable to exploitation."

The Mandiant Citrix IOC Scanner must be run directly on a device or a mounted forensic image. It scans the local filesystem and configuration files for various indicators of compromise (IOCs). Upon completion, the scanner displays a summary indicating if it found any signs of compromise.

If the device is found to be compromised, the scanner will present a detailed report listing the various IOCs detected. The scanner looks for specific IOCs on Citrix devices, which are outlined in detail.

More information on how to use the scanner tool and interpret the results can be found on Mandiant's GitHub repository for the project. If signs of compromise are detected, a comprehensive forensic examination on the affected appliances and network components is recommended to assess the scope and extent of the breach.

It's crucial to note that a negative result should not be interpreted as a guarantee that a system hasn't been compromised, as attackers can still conceal their activities and often had ample time to do so. It's advised to run the scanner on all appliances exposed to the internet that were running a vulnerable firmware version at any point. The scanner is compatible with Citrix ADC and Citrix Gateway versions 12.0, 12.1, 13.0, and 13.1.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.