New Tool: Check if your Citrix Netscaler have been Compromised
As more and more information related to the Citrix Netscaler vulnerability (CVE-2019-19781) surface, Citrix has partnered with FireEye and released a scripted tool that administrators can use to help understand if their Netscalers might have been compromised.
The tool which is an Open Source script is hosted on GitHub. You can find the script at the link below.
https://github.com/citrix/ioc-scanner-CVE-2019-19781/
Due to the nature of Open Source and GitHub, expect enhancements, bug fixes and other contributions to come from the community as the script is used and further developed. The tool is run from a CLI on the Netscaler and searches for indicators of compromise and attacker activity. The tool is not perfect and is meant as a first effort tool when starting an audit on your Netscalers. It can’t determine if your system is vulnerable or if it is safe. It can only report on identified breadcrumbs left behind from a successful exploit. There is no way to determine if an attacker successfully cleaned up remnants of the exploit and left a different backdoor. The only way to guarantee that a system is/was not compromised is to reimage and redeploy.
You can read more about the manual methods of auditing your Netscalers here.
Continue to Stay Safe out there!
–Carlo