The US National Security Agency (NSA) is warning that a hacking collective backed by the Chinese state is exploiting a zero-day security flaw in two common Citrix products to gain access to networks.
The critical vulnerability, CVE-2022-27518 (opens in new tab), affects the application delivery controller Citrix ADC and remote access tool Citrix Gateway, with both popular in business tech stacks.
In an official blog post (opens in new tab), Peter Lefkowitz, chief security and trust officer at Citrix claimed that “limited exploits of this vulnerability have been reported,” but did not elaborate on the number of attacks or the industries involved.
Citrix emergency patch
Despite its opaque PR response, Citrix released a patch on December 12, 2022 that it claims resolves the issue, and is urging all affected customers to update their applications immediately.
The NSA, meanwhile, has released its own guidance (opens in new tab) in the form of a PDF report detailing the activities of APT5.
Sometimes referred to as Manganese, this group of threat actors has apparently explicitly targeted networks running these Citrix applications to break through organizational security without first having to steal credentials via social engineering and phishing attacks.
APT5, according to Malpedia (opens in new tab) and TechCrunch, has been active since “at least 2007”, and is known to run cyberespionage attacks against countries the Chinese government perceives as threats, usually against tech companies developing military technology, and telecommunications infrastructure.
TechRadar Pro reported in 2019 that the hacking group compromised a number of VPNs available worldwide, including Fortinet, Pulse Secure, and Palo Alto VPN. Pulse Secure, especially, is common in the networks of Fortune 500 companies.
- Interested in staying safe online? Check out our guide to the best firewalls
Via TechCrunch (opens in new tab)
