this post was submitted on 15 Aug 2023
1 points (100.0% liked)

The War Room

1 readers
1 users here now

Community for various OSINT news and subject matter for open discussion or dissemination elsewhere

founded 1 year ago
MODERATORS
[email protected]
1
New CVE-2023-3519 scanner detects hacked Citrix ADC, Gateway devices (www.bleepingcomputer.com)
submitted 1 year ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 

New CVE-2023-3519 scanner detects hacked Citrix ADC, Gateway devices

Citrix

Mandiant has released a scanner to check if a Citrix NetScaler Application Delivery Controller (ADC) or NetScaler Gateway Appliance was compromised in widespread attacks exploiting the CVE-2023-3519 vulnerability.

The critical CVE-2023-3519 Citrix flaw was discovered in mid-July 2023 as a zero-day, with hackers actively exploiting it to execute code remotely without authentication on vulnerable devices.

A week after Citrix made security updates to address the problem available, Shadowserver reported that there were still 15,000 internet-exposed appliances that hadn't applied the patches.

However, even for organizations that installed the security updates, the risk of being compromised remains, as the patch does not remove malware, backdoors, and webshells planted by the attackers in the post-compromise phase.

Scanner checks for hacked devices

Today, Mandiant released a scanner that enables organizations to examine their Citrix ADC and Citrix Gateway devices for signs of compromise and post-exploitation activity.

"The tool is designed to do a best effort job at identifying existing compromises," reads Mandiant's post.

"It will not identify a compromise 100% of the time, and it will not tell you if a device is vulnerable to exploitation."

Mandian't Ctrix IOC Scanner must be run directly on a device or a mounted forensic image, as it will scan the local filesystem and configuration files for the presence of various IOCs.

When finished, the scanner will display a summary detailing if it encountered any signs of compromise, as shown below.

Positive scan result

Positive scan result
Source: Mandiant

If it detects that the device was compromised, the scanner will display a detailed report listing the various indicators of compromise that were detected.

Detected IOCs in Citrix Scan

Detected IOCs in Citrix Scan
Source: Mandiant

Some of the indicators of compromise that the scanner looks for on Citrix devices are listed below:

  • File system paths containing that may contain suspicious files:
    • /var/netscaler/logon/LogonPoint/uiareas
    • /var/netscaler/logon/LogonPoint/uiareas/*/
    • /netscaler/ns_gui/epa/scripts/*/
    • /netscaler/ns_gui/vpns/theme/default
    • /var/vpn/themes/
  • Known attacker or suspicious commands in the shell history:
    • whoami$
    • cat /flash/nsconfig/keys
    • ldapsearch
    • chmod +x /tmp
    • openssl des3
    • ping -c 1
    • cp /bin/sh
    • chmod +s /var
    • echo
no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here