- NSA and Citrix announced that two critical vulnerabilities patched in November and December are under attack.
- NCC Group’s Fox-IT research team found thousands of vulnerable Citrix servers that are vulnerable to at least one of the vulnerabilities.
- NSA stated that state-sponsored Chinese hacker groups are targeting unpatched servers to exploit the flaws.
Citrix and cybersecurity experts are warning users against attacks targeting Citrix ADC and Citrix Gateway vulnerabilities. The two critical severity vulnerabilities, tracked as CVE-2022-27510 and CVE-2022-27518, have CVSS scores of 9.8. The vulnerabilities were addressed by the provider on November 8 and December 13, but hackers are still exploiting thousands of unpatched devices.
Exploited in the wild
In early December, Citrix and the U.S. National Security Agency made an announcement and said that the vulnerability is being exploited in the wild. NSA pinpointed a Chinese state-sponsored hacker group APT5, also known as UNC2630 and MANGANESE. To protect themselves from those attacks, NSA advised organizations to check key executables in their environment for any deviations, use off-device logging mechanisms for all system logs, and use YARA signatures to detect malware.
NSA recommends the following steps to mitigate the activity, to the extent applicable in your environment:
- Move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication (ideally multi-factor) prior to being able to access the ADC.
- Isolate the Citrix ADC appliances from the environment to ensure any malicious activity is contained.
- Restore the Citrix ADC to a known good state.
NCC Group’s Fox-IT research team also published its analysis of the issue and stated that there are thousands of internet-facing unpatched Citrix servers. According to the results, the majority is on version 13.0-88.14, which is not vulnerable to either of the two CVEs. The second most popular version is 12.1-65.21 which is not vulnerable to CVE-2022-27510, but it is to CVE-2022-27518. There are also many servers that do not return a version hash at all so for those servers we cannot identify the exact version. The team managed to find more than 3,500 Citrix ADC and Gateway servers that are vulnerable to CVE-2022-27518. There are also over 500 servers that are vulnerable to both of these flaws.