LackyVis - stock.adobe.com

Citrix releases IoC scanner for ADC and Gateway vulnerabilities

As patches for its compromised NetScaler ADC and Gateway products begin to roll out, Citrix enlists FireEye Mandiant to develop an indicator of compromise scanner for end-users

Citrix and security partner FireEye Mandiant have released an indicator of compromise (IoC) scanner to help customers detect whether their systems have been breached as a result of the CVE-2019-19781 vulnerability, which affects its NetScaler application delivery controller (ADC) and Gateway products and was first detected by researchers in December 2019.

The free tool – which can be downloaded from either Citrix’s or FireEye’s GitHub repository – has been made available under an Apache 2.0 open source licence. It can be run locally on a user’s Citrix instance to deliver a rapid assessment of any potential IoCs based on currently known attacks and exploits, of which there are a growing number.

Citrix CISO Fermin Serna said: “While our security and engineering teams have been working around the clock to develop, test and deliver permanent fixes to CVE-2019-19781, we have been actively thinking of ways to assist our customers in understanding if and how their systems may have been affected.

“We partnered with FireEye Mandiant, which is at the forefront of cyber threat intelligence and forensic analysis, to develop a tool that leverages their knowledge of recent attacks against CVE-2019-19781 to help organisations identify potential compromises.

“The tool utilises our technical knowledge of the Citrix ADC and Gateway products and CVE-2019-19781, combined with industry-leading expertise in cyber forensics and recent FireEye frontline learnings from CVE-2019-19781-related compromises.”

FireEye Mandiant CTO Charles Carmakal added: “As we worked closely with various Citrix customers in their response to CVE-2019-19781, we developed an understanding of the active threats related to this vulnerability.

“We believe it is in the best interest of Citrix customers using affected product versions and the entire security community for us to join forces with Citrix to offer a free tool that organisations can rapidly deploy in their own environments to identify potential indicators of compromise of their systems.”

Serna urged concerned end-users to run the IoC tool as well as taking mitigation steps previously set out by the supplier. He reiterated that Citrix was “deeply committed” to the security of its solutions and was “making every effort” to ensure customers were supported adequately.

He said Citrix was working “aggressively” to understand who had not yet applied the recommended fixes and was encouraging them to do so, and its security team was scanning for other at-risk customers. The firm has also expanded the number of people available to its service desk.

Read more about CVE-2019-19781

Meanwhile, earlier this week, Citrix moved up the timetable for a number of its permanent fixes. It had previously said some versions of the ADC and Gateway products (versions 10.5, 12.1 and 13) would not be available until Friday 31 January 2020. These final patches will now be made available alongside patches for Citrix SD-WAN WANOP on Friday 24 January. Patches for versions 11 and 12 have been available since Sunday 19 January.

Although no major compromises have yet come to light as a result of the Citrix vulnerabilities – unofficially dubbed Shitrix by the infosec community – tales have been emerging of some of the ways threat actors are leveraging them, and some of the wider effects.

Among these is a group that has apparently managed to block exploitation of the CVE-2019-19781 vulnerability in such a way that they maintain backdoor access to compromised devices for their own, future use.

Meanwhile, in the Netherlands, where the Dutch National Cyber Security Centre (NCSC) last week urged users to switch off their Citrix ADC and Gateway servers altogether, CVE-2019-19781 has now been implicated in a series of traffic jams.

According to the Royal Dutch Touring Club (ANWB), traffic conditions in the Netherlands have been worse than usual this week because, after following the NCSC’s advice, fewer people have been able to log into their organisations’ systems to work from home.

Read more on Hackers and cybercrime prevention