CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

NSA Outs Chinese Hackers Exploiting Citrix Zero-Day

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that a Chinese hacking group has already been caught exploiting the vulnerability.

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that a Chinese hacking group has already been caught exploiting the vulnerability.

Citrix sounded the alarm via a critical-severity bulletin documenting CVE-2022-27518, a pre-auth remote code execution bug affecting the Citrix ADC and Citrix Gateway network appliances.

“We are aware of a small number of targeted attacks in the wild using this vulnerability,” the Florida-based company said.

In tandem with Citrix’s release of the emergency fix, the US government’s National Security Agency (NSA) connected the in-the-wild zero-day attacks to APT5, a Chinese hacking group notorious for targeting telecommunications and technology companies.

The APT5 hacking group, also known as Manganese or Keyhole Panda, has been active since at least 2007 and has been observed targeting organizations and individuals in Southeast Asia.

[ Read: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw ]

Now, the NSA wants U.S. organizations to play close attention to this threat actor, noting that the targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication control

The NSA published a threat hunting guidance document to expose some of the tools and tactics used by APT5 in the latest Citrix ADC exploitation and urged corporate defenders to move all Citrix ADC instances behind a VPN or implement multi-factor authentication mitigations.

Advertisement. Scroll to continue reading.

In its bulletin, Citrix said the security defect allows an unauthenticated remote attacker to perform arbitrary code execution on the appliance. The company said the Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for the vulnerability to trigger.

“Exploits of this issue on unmitigated appliances in the wild have been reported. Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” the company said.

[ Read: US Gov: VPN, Network Perimeter Product Flaws Under Constant Attack ]

This is the second confirmed in-the-wild zero-day attack documented this week, coming on the heels of Fortinet’s emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product.

Fortinet described the bug as a critical memory corruption that allows a “remote unauthenticated attacker” to launch harmful code or execute commands on a target system. 

“Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise,” the company said, listing artifacts and connections to suspicious IP addresses that can help defenders hunt for infections.

So far this year, there have been at least 50 publicly documented in-the-wild zero-day attacks, according to data tracked by SecurityWeek.

Related: US Gov: VPN, Network Perimeter Product Flaws Under Constant Attack

Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities

Related: FBI, CISO Issue Joint Warning for Attacks Targeting Fortinet FortiOS

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.