Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

NSA Outs Chinese Hackers Exploiting Citrix Zero-Day

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that a Chinese hacking group has already been caught exploiting the vulnerability.

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that a Chinese hacking group has already been caught exploiting the vulnerability.

Citrix sounded the alarm via a critical-severity bulletin documenting CVE-2022-27518, a pre-auth remote code execution bug affecting the Citrix ADC and Citrix Gateway network appliances.

“We are aware of a small number of targeted attacks in the wild using this vulnerability,” the Florida-based company said.

In tandem with Citrix’s release of the emergency fix, the US government’s National Security Agency (NSA) connected the in-the-wild zero-day attacks to APT5, a Chinese hacking group notorious for targeting telecommunications and technology companies.

The APT5 hacking group, also known as Manganese or Keyhole Panda, has been active since at least 2007 and has been observed targeting organizations and individuals in Southeast Asia.

[ Read: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw ]

Now, the NSA wants U.S. organizations to play close attention to this threat actor, noting that the targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication control

The NSA published a threat hunting guidance document to expose some of the tools and tactics used by APT5 in the latest Citrix ADC exploitation and urged corporate defenders to move all Citrix ADC instances behind a VPN or implement multi-factor authentication mitigations.

Advertisement. Scroll to continue reading.

In its bulletin, Citrix said the security defect allows an unauthenticated remote attacker to perform arbitrary code execution on the appliance. The company said the Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for the vulnerability to trigger.

“Exploits of this issue on unmitigated appliances in the wild have been reported. Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” the company said.

[ Read: US Gov: VPN, Network Perimeter Product Flaws Under Constant Attack ]

This is the second confirmed in-the-wild zero-day attack documented this week, coming on the heels of Fortinet’s emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product.

Fortinet described the bug as a critical memory corruption that allows a “remote unauthenticated attacker” to launch harmful code or execute commands on a target system. 

“Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise,” the company said, listing artifacts and connections to suspicious IP addresses that can help defenders hunt for infections.

So far this year, there have been at least 50 publicly documented in-the-wild zero-day attacks, according to data tracked by SecurityWeek.

Related: US Gov: VPN, Network Perimeter Product Flaws Under Constant Attack

Related: Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities

Related: FBI, CISO Issue Joint Warning for Attacks Targeting Fortinet FortiOS

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...