The free tool, available under the Apache 2.0 open source license, provides customers with increased awareness of potential compromise related to the CVE-2019-19781 vulnerability on their systems. The tool is designed to allow customers to run it locally on their Citrix instances and receive a rapid assessment of potential Indicators of Compromise based on known attacks and exploits.
Citrix Systems and FireEye introduce new tool for detection of compromise
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation.
You can conduct compromise assessments on your systems by using released Yara rules by FireEye. To utilize Yara rules, you can use an open-source Yara scanning tool or enterprise product and distribute it to the endpoints on your systems, then add the rules and get the results. Moreover, you can use IoCs included in Yara rules and search them in your SIEM environment.
In addition, because by default these appliances have access to a large number of organizational systems, lateral movement becomes far less of a challenge. The adversaries may attempt to directly traverse into other hosts that must traverse through the compromised appliances, or even be able to modify network traffic to perform additional malicious actions, such as injecting/delivering malicious code, executing man-in-the-middle attacks, or redirecting users to adversary owned login pages to harvest credentials. Lastly, due to the nature of appliances, detection of these attacks may be significantly more challenging, as generally they are black-box type solutions which are not often interacted with or inspected for anomalous activity, unless an issue arises.
This type of backdoor could be used any time an attacker returned to a system, and would not be found without thorough investigation. Though simple, the capabilities of this web shell are only limited to the software installed on the Citrix ADC server, and could be used to load additional toolkits for lateral movement to other systems. Response to any Citrix ADC compromise should include review of any available logs for SMB scanning which might indicate attempts to use Eternal Blue exploits, or other traffic from the Citrix ADC device that would be outside of the normal course of business. 2ff7e9595c
Comments