IoC Scanner shows if Citrix appliances have been compromised via CVE-2019-19781

Citrix and FireEye have teamed up to provide sysadmins with an IoC scanner that shows whether a Citrix ADC, Gateway or SD-WAN WANOP appliance has been compromised via CVE-2019-19781.

Finding evidence of compromise

By now it should be widely known that CVE-2019-19781 – aka “Shitrix” – is a real and present danger: exploits for it abound and attackers are using them, while we wait for fixes for all affected devices to be released.

Though the number of vulnerable Citrix endpoints is declining rather quickly, we don’t know have many have been compromised since the start of the attacks.

Nearly two weeks ago, TrustedSec created a list of locations and indicators to search for on potentially compromised Citrix ADC hosts and shared instructions on how to check for them.

Citrix’s and FireEye’s new tool makes the search for IoCs much easier.

About the CVE-2019-19781 IoC scanner

The IoC Scanner (as they call it) can be run directly on a live Citrix ADC, Gateway, or SD-WAN WANOP system, or can be used to inspect a mounted forensic image.

The tool can be used to inspect a mounted forensic image or on a live system. If used on the latter, it will scan files, processes, and ports for known indicators, and analyze available log sources and system forensic artifacts to identify evidence of successful exploitation of the flaw.

Its output will tell users whether there is:

• Strong evidence of compromise (e.g., unexpected processes, listening UDP ports, web access logs showing exploit HTTP requests, etc.)
• Evidence of the system having been successfully probed for the flaw
• Evidence of unsuccessful vulnerability scanning (attempts to scan or exploit the system did not succeed).

Caveats

“Remember, the tool will not make an assertion that a system has not been compromised. The tool will only state when IoCs are identified,” FireEye made sure to point out.

“It will also not provide formal malware family names of all malicious tools and scripts identified on compromised systems, nor will it identify the existence of all malware or evidence of compromise on the system. The tool is limited to the tool-related indicators that FireEye is aware of at the time of release of the tool or tool-related indicators.”

They did not say whether they intend to update it with new indicators as they become aware of them.

Also, they noted that “there are limitations in what the tool will be able to accomplish and therefore executing the tool should not be considered a guarantee that a system is free of compromise. For example, log files on the system with evidence of compromise may have truncated or rolled, the system may have been rebooted, or an attacker may have tampered with the system to remove evidence of compromise and/or installed a rootkit that masks evidence of compromise.”

But if the tool shows that IoCs are present, admins should definitely initiate a forensic investigation to determine the scope of the compromise.