Chinese state-backed hacking group APT5 is exploiting a zero-day vulnerability in a couple of Citrix products. It could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance.
Exploitation of Citrix zero-day
The NSA released an advisory warning about the wild exploitation of the vulnerability (CVE-2022-27518) affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. It has attributed the activity to the APT5 group.
- Citrix confirmed the exploitation of this vulnerability on unmitigated appliances in the wild and released an emergency patch to fix the vulnerability.
- The NSA advisory effectively busted an apparent Chinese intelligence operation by exposing its TTPs. Additionally, it is advising potential victims on how to prevent further attacks.
- Experts found that less than one percent of cloud enterprise environments are vulnerable to this vulnerability.
An overview of APT5
APT5, also known as UNC2630 and Manganese, is known to target telecommunications and technology companies. It has previously exploited vulnerabilities in Fortinet and Pulse Secure VPN servers. Historically, it has launched campaigns across Southeast Asia, Europe, and the U.S.
Exploitation of Fortinet bug
Another Chinese threat group was observed abusing another remote code execution vulnerability, around the same time as APT5’s attack.
- Fortinet found CVE-2022-42475, a heap-based buffer overflow vulnerability, in FortiOS SSL-VPN that allows remote code execution for one of its VPN products.
- It disclosed the exploitation of this vulnerability in the wild, however, it did not attribute the attack and urged its customers to patch affected systems immediately.
Wrapping up
Chinese hackers have a history of abusing zero-days, which they try to leverage to carry out attacks under the radar but, once they are exposed, they modify tactics and continue to evolve. With recent patches by Citrix and Fortinet, users are advised to patch these zero-day bugs as soon as possible to mitigate risks against active exploitation.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8b71_shutterstock_1628208907.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/fa06_shutterstock_1682977915.jpg)
