The U.S. National Security Agency has issued a warning that hackers supported by the Chinese government are using two widely used Citrix networking products’ zero-day vulnerabilities to break into targeted networks.
The vulnerability, identified as CVE-2022-27518, affects the widely used remote access tool Citrix Gateway as well as the application delivery controller Citrix ADC in enterprise networks. Without requiring a password, the critical vulnerability enables an unauthenticated attacker to remotely execute malicious malware on susceptible devices. Citrix also claims that threat actors are actively using the weakness.
According to Peter Lefkowitz, chief security and trust officer at Citrix, “we are aware of a tiny number of targeted assaults in the field leveraging this vulnerability.” There have only been a few reports of this vulnerability being exploited. Citrix has not stated which sectors the targeted businesses are in or how many have been infiltrated. Inquiries from TechCrunch were not immediately answered by a Citrix representative.
Citrix has urged users of impacted releases of Citrix ADC and Citrix Gateway to quickly install the patches after the company hurriedly released an emergency remedy for the vulnerability on Monday.
Citrix withheld any additional information regarding the attacks that occurred in the wild. APT5, a well-known Chinese hacking gang, has been actively targeting Citrix ADCs, according to a separate NSA tip, in order to get access to enterprises without first stealing credentials. The agency also requested the public and commercial sectors to share intelligence and supplied security teams with threat-hunting guidelines [PDF].
APT5, which has been operating since at least 2007, primarily runs cyber espionage operations and has a history of concentrating its efforts on regional telecommunications businesses and IT firms, notably those developing military applications. APT5 has previously been referred to as “a huge threat group that includes of multiple subgroups, often with separate techniques and infrastructure” by cybersecurity company FireEye.
APT5 broke into American networks used for defense R&D last year by using a zero-day vulnerability in Pulse Secure VPN, another networking product frequently targeted by hackers.