NSA Says Hackers with Ties to China’s Government are Exploiting Citrix Vulnerability

Updated on 2022-12-19: Chinese hackers actively attacking flaw in Citrix gear

The NSA said in an advisory this week that APT5, a China-based espionage group, is exploiting a new Citrix zero-day in the wild. The advisory was designed to burn China’s ongoing activity by calling it out — and Citrix releasing patches. Citrix was generally praised for its response (even if the feds knocking on your door is an unwelcome surprise). Fortinet also patched a pre-auth RCE bug, and enterprise backup giant Veeam also confirmed it had two security flaws fixed earlier this year. Read more:

• NSA says Chinese hackers are actively attacking flaw in widely used networking device
• Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks
• CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks
• U.S. agency warns that hackers are going after Citrix networking gear
• NSA says Chinese hackers are exploiting a zero-day bug in popular networking gear
• APT5: Citrix ADC Threat Hunting Guidance

Overview: NSA Says Hackers with Ties to China’s Government are Exploiting Citrix Vulnerability

According to an advisory from the US National Security Agency (NSA), the APT5 hacking group is exploiting an authentication control bypass vulnerability in Citrix Application Delivery Controller and gateway products. The NSA’s advisory provides “guidance to provide steps organizations can take to look for possible artifacts of this type of activity.” Citrix has released an update to fix the vulnerability.

Note

• This impacts the 12.1 and 13.0 versions (including FIPS and NDcPP builds) where you’ve configured an IDP or SAML authentication – which most of us are using for centralized authentication. While you can apply updates to these versions, the better fix is to go to 13.1 which is not affected. Even if you don’t have the SAML/IDP configuration today, apply the update so you’re ready when and if you do. While you’re at it, review the instructions for setting up auditing of unauthorized activity, make sure you didn’t miss any tricks.
• From an actual risk perspective, wouldn’t it be more worrisome if the headlines said, “Grade School Kids Exploiting Citrix Vulnerability”? What I’d really like to see is a headline like “Grade School Kids Already Patched Their School’s Citrix Server.”
• You can be certain that if Chinese APT groups are exploiting these vulnerabilities, criminal gangs and ransomware groups won’t be far behind. So please don’t think that “we are not a target for an APT group” is a reason not to address this vulnerability.

Read more in

• Critical security update now available for Citrix ADC, Citrix Gateway
• Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518
• APT5: Citrix ADC Threat Hunting Guidance (PDF)
• Chinese hackers exploiting bug in Citrix ADC, Gateway products, NSA warns
• Citrix patches critical ADC flaw the NSA says is already under attack from China
• NSA says Chinese hackers are actively attacking flaw in widely used networking device