A Chinese threat group that has targeted defense and technology companies for several years has been exploiting a zero day vulnerability in some Citrix ADC and Gateway devices in recent weeks that allows pre-authenticated remote code execution on vulnerable devices.
Citrix has released updated software to address the vulnerability (CVE-2022-27518), which affects Citrix ADC and Gateway versions 12.1 and 13.0 before 13.0-58.32. In order to be vulnerable to this bug, the device has to be configured with a SAML SP or IdP. Citrix warned on Tuesday that the vulnerability is critical and urged customers to install the update immediately.
“Customers using an affected build with a SAML SP or IdP configuration are urged to install the current build immediately. We are aware of a small number of targeted attacks in the wild using this vulnerability,” Peter Lefkowitz, chief security and trust officer of the cloud software group at Citrix, said in a blog post.
In tandem with the Citrix advisory, the National Security Agency released guidance on threat hunting and detection for actors exploiting this vulnerability. APT5 is a Chinese threat group that has been active for many years and is known to target high-value organizations in a number of industries, including technology, communications, and defense. The group, which is also known as UNC2630, last year was discovered exploiting a vulnerability in the Pulse Connect Secure VPN to gain access to government agencies in Europe and the United States. Those attacks had been ongoing for at least a year before they were discovered.
"Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls."
In the most recent campaign, APT5 has targeted a small number of organizations with an exploit for the new Citrix bug. Neither Citrix nor the NSA indicated what industries the targeted organizations are in or how many have been compromised.
“Limited exploits of this vulnerability have been reported. We strongly urge customers on the affected builds of Citrix ADC and Citrix Gateway to install the updated builds as soon as possible,” Lefkowitz said.
There are no workarounds for this vulnerability, so installing the update is the main defense at the moment. NSA’s advisory said that APT5 has been modifying legitimate binaries after exploitation in order to maintain persistence.
“APT5 has demonstrated capabilities against Citrix Application Delivery Controller deployments. Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls,” the NSA bulletin says.
“In addition to any alterations of legitimate binaries, some of APT5’s activities may be visible in various system logs. NSA recommends that organizations leverage off-device logging mechanisms for all system logs, to include dmesg and ns.log, and actively monitor them.”