New CVE-2023-3519 scanner detects hacked Citrix ADC, Gateway devices

Mandiant has released a scanner to check if a Citrix NetScaler Application Delivery Controller (ADC) or NetScaler Gateway Appliance was compromised in widespread attacks exploiting the CVE-2023-3519 vulnerability. 

The critical CVE-2023-3519 Citrix flaw was discovered in mid-July 2023 as a zero-day, with hackers actively exploiting it to execute code remotely without authentication on vulnerable devices.

A week after Citrix made security updates to address the problem available, Shadowserver reported that there were still 15,000 internet-exposed appliances that hadn't applied the patches.

However, even for organizations that installed the security updates, the risk of being compromised remains, as the patch does not remove malware, backdoors, and webshells planted by the attackers in the post-compromise phase.

Today, Mandiant released a scanner that enables organizations to examine their Citrix ADC and Citrix Gateway devices for signs of compromise and post-exploitation activity.

"The tool is designed to do a best effort job at identifying existing compromises," reads Mandiant's post.

"It will not identify a compromise 100% of the time, and it will not tell you if a device is vulnerable to exploitation."

Mandian't Ctrix IOC Scanner must be run directly on a device or a mounted forensic image, as it will scan the local filesystem and configuration files for the presence of various IOCs.

When finished, the scanner will display a summary detailing if it encountered any signs of compromise, as shown below.

If it detects that the device was compromised, the scanner will display a detailed report listing the various indicators of compromise that were detected.

Some of the indicators of compromise that the scanner looks for on Citrix devices are listed below:

More details on using the scanner tool and interpreting the results can be found on Mandiant's GitHub repository for the project.

If the scanner reveals signs of compromise, it is recommended to perform a complete forensic examination on the impacted appliances and network parts to evaluate the scope and extent of the breach, which requires a different set of tools.

It is important to note that a negative result should not be taken as a certain that a system hasn't been compromised, as attackers still have many ways to hide their traces and, in many cases, had ample time to do so.

"Log files on the system with evidence of compromise may have been truncated or rolled, the system may have been rebooted, an attacker may have tampered with the system to remove evidence of compromise and/or installed a rootkit that masks evidence of compromise." - Mandiant

It is recommended to run the scanner on all appliances exposed to the internet while running a vulnerable firmware version at any time.

The scanner was designed to be used with Citrix ADC and Citrix Gateway versions 12.0, 12.1, 13.0, and 13.1.

Hundreds of Citrix Endpoints Compromised With Webshells

Around 600 global Citrix servers have been compromised by a zero-day exploit enabling webshells to be installed, according to a non-profit tracking the ongoing campaign.

The Shadowserver Foundation tweeted on 2 August that the number of impacted endpoints stood at 581, but the figure is thought to be just the tip of the iceberg.

The biggest number of impacted IPs are based in Germany, followed by France and Switzerland.

As reported by Infosecurity last week, the malicious campaign exploits zero-day vulnerability CVE-2023-3519 to compromise NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway servers.

Subscribe to the Infosecurity Magazine newsletter here. 

The unauthenticated remote code execution vulnerability was patched by Citrix on July 15 and has a CVSS score of 9.8.

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix warned at the time. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

At the time, Citrix also patched two other vulnerabilities: reflected cross-site scripting bug CVE-2023-3466, and CVE-2023-3467, which enables privilege escalation to root administrator.

The Shadowserver Foundation, which monitors malicious internet activity across the globe, alerted Citrix users to the campaign last week. It warned that over 15,000 NetScaler ADC and NetScaler Gateway servers were at risk of compromise, with the biggest number based in the US, followed by Germany, the UK and Australia.

Read more on Citrix vulnerabilities: Citrix Admins Urged to Act as PoC Exploits Surface

The zero-day was originally exploited to drop webshells onto an unnamed US critical infrastructure organization’s non-production environment, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data,” it continued. “The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement.”

That attack happened back in June 2023.

Editorial image credit: Ken Wolter / Shutterstock.com

Mandiant Releases Scanner to Identify Compromised NetScaler ADC, Gateway

With thousands of Citrix networking products vulnerable to a critical vulnerability still unpatched and exposed on the Internet, Mandiant has released a tool to help enterprise defenders identify those that have been compromised.

The IoC Scanner is designed to be used with Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0.

Citrix issued a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products on July 18, along with a recommendation for organizations using the affected products to apply it immediately. The vuln could be exploited to allow unauthenticated remote code execution. Several threat groups are already actively exploiting the flaw by installing web shells inside of corporate networks and carrying out dozens of exploits.

Researchers say that nearly 7,000 instances remain exposed on the Web. Of those, around 460 have Web shells installed, likely due to compromise.

Mandiant's tool, available on GitHub, can identify the file system paths of known malware, post-exploitation activity in shell history, unexpected crontab entries and processes, and known malicious terms and unexpected modification of NetScaler directories. The standalone Bash script can be run directly on a Citrix ADC appliance to scan files, processes, and ports for known indicators. (The tool must be run as root in live mode on the appliance.) It can also inspect a mounted forensic image to use in an investigation, Mandiant said.

The IoC Scanner will do a "best-effort job" at identifying compromised products, but it may not be able to find all compromised devices or be able to whether the device is vulnerable to exploitation, Mandiant said. "This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519," according to the company.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.