Handy FireEye tool roots out indicators of compromise
Citrix and FireEye have released a new security tool to help admins find out if their servers have been hacked via the high-profile CVE-2019-19781 flaw that was disclosed in December but only patched on Monday.
The free application, shared under the Apache 2.0 open-source license, will scan devices for indications of compromise for the so-called “Shitrix” arbitrary code execution vulnerability in Citrix’s Application Delivery Controller and Gateway products. The tool can be run on any Citrix instance to check for signs of an intrusion.
Using some of the samples collected from attacks in the wild, including the recently unearthed Notrobin‘ malware, the scanner’s makers were able to piece together their app.
“The tool combines Citrix’s technical knowledge of the Citrix ADC and Gateway products and CVE-2019-19781 with industry-leading FireEye Mandiant’s forensics expertise and current knowledge of recent CVE-2019-19781 related compromises,” Citrix said.
As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC
The tool, Citrix warned, will only detect specific indicators of compromise, tell-tale signs that a miscreant has exploited the bug to get access to machines. It is not intended as a vulnerability scanner and is not guaranteed to spot any attack against other flaws.
“Remember, the tool will not make an assertion that a system has not been compromised. The tool will only state when IoCs [Indicators of Compromise] are identified,” FireEye warned.
“It will also not provide formal malware family names of all malicious tools and scripts identified on compromised systems, nor will it identify the existence of all malware or evidence of compromise on the system.”
Still, the free scanner will at least allow admins to get a general idea of the state of their Citrix gear. ®
Harnessing the value of data