NSA Outs Chinese Hackers Exploiting Citrix Zero-Day

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that a Chinese hacking group has already been caught exploiting the vulnerability.

Citrix sounded the alarm via a critical-severity bulletin documenting CVE-2022-27518, a pre-auth remote code execution bug affecting the Citrix ADC and Citrix Gateway network appliances.

“We are aware of a small number of targeted attacks in the wild using this vulnerability,” the Florida-based company said.

In tandem with Citrix’s release of the emergency fix, the US government’s National Security Agency (NSA) connected the in-the-wild zero-day attacks to APT5, a Chinese hacking group notorious for targeting telecommunications and technology companies.

The APT5 hacking group, also known as Manganese or Keyhole Panda, has been active since at least 2007 and has been observed targeting organizations and individuals in Southeast Asia.

[ Read: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw ]

Now, the NSA wants U.S. organizations to play close attention to this threat actor, noting that the targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication control

The NSA published a threat hunting guidance document to expose some of the tools and tactics used by APT5 in the latest Citrix ADC exploitation and urged corporate defenders to move all Citrix ADC instances behind a VPN or implement multi-factor authentication mitigations.

In its bulletin, Citrix said the security defect allows an unauthenticated remote attacker to perform arbitrary code execution on the appliance. The company said the Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for the vulnerability to trigger.

“Exploits of this issue on unmitigated appliances in the wild have been reported. Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” the company said.

[ Read: US Gov: VPN, Network Perimeter Product Flaws Under Constant Attack ]

This is the second confirmed in-the-wild zero-day attack documented this week, coming on the heels of Fortinet’s emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product.

Fortinet described the bug as a critical memory corruption that allows a “remote unauthenticated attacker” to launch harmful code or execute commands on a target system. 

“Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise,” the company said, listing artifacts and connections to suspicious IP addresses that can help defenders hunt for infections.

So far this year, there have been at least 50 publicly documented in-the-wild zero-day attacks, according to data tracked by SecurityWeek.

Related: US Gov: VPN, Network Perimeter Product Flaws Under Constant Attack

Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities

Related: FBI, CISO Issue Joint Warning for Attacks Targeting Fortinet FortiOS