Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
News, news analysis, and commentary on the latest trends in cybersecurity technology.
Mandiant Releases Scanner to Identify Compromised NetScaler ADC, Gateway
Mandiant's IoC Scanner will help enterprises collect indicators of compromise on affected Citrix NetScaler products.
2 Min Read
Source: Metta_zoom via Alamy Stock Photo
With thousands of Citrix networking products vulnerable to a critical vulnerability still unpatched and exposed on the Internet, Mandiant has released a tool to help enterprise defenders identify those that have been compromised.
The IoC Scanner is designed to be used with Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0.
Citrix issued a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products on July 18, along with a recommendation for organizations using the affected products to apply it immediately. The vuln could be exploited to allow unauthenticated remote code execution. Several threat groups are already actively exploiting the flaw by installing web shells inside of corporate networks and carrying out dozens of exploits.
Researchers say that nearly 7,000 instances remain exposed on the Web. Of those, around 460 have Web shells installed, likely due to compromise.
Mandiant's tool, available on GitHub, can identify the file system paths of known malware, post-exploitation activity in shell history, unexpected crontab entries and processes, and known malicious terms and unexpected modification of NetScaler directories. The standalone Bash script can be run directly on a Citrix ADC appliance to scan files, processes, and ports for known indicators. (The tool must be run as root in live mode on the appliance.) It can also inspect a mounted forensic image to use in an investigation, Mandiant said.
The IoC Scanner will do a "best-effort job" at identifying compromised products, but it may not be able to find all compromised devices or be able to whether the device is vulnerable to exploitation, Mandiant said. "This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519," according to the company.
About the Author(s)
You May Also Like
More Insights
Webinars
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024