Chinese Hackers Exploit Citrix VulnerabilitiesHealth Sector Entities Urged to Patch Citrix ADC, Gateway Flaws
A networking appliance used to assure the availability of clinical applications and a virtual private network each made by Citrix both contain flaws that are under active exploitation by Chinese state-sponsored hackers.
U.S. federal authorities and Citrix both are urging users to patch the flaw, tracked as CVE-2022-27518.
"These vulnerabilities are known to be actively exploited by a Chinese state-sponsored advanced persistent threat," says the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert issued Friday.
Citrix released patches for the vulnerability, which allows a remote attacker to "completely" compromise a target system. The products, Citrix Application Delivery Controller and Gateway, are used in the healthcare sector for balancing network demands on applications such as electronic health records and for remote access. Two private equity firms in September closed a $16.5 billion deal to buy Citrix and take it private.
The department identifies the threat actor as APT5, a group Mandiant says has been active since at least 2007 and is known to target high-tech manufacturing and military application technology in the United States, Europe and Asia. The group is also known as UNC2630 and Manganese.
HHS says it is aware of U.S. healthcare organizations that have been compromised via the Citrix vulnerability but doesn't share the specifics of any incident. Citrix says it is aware of "in the wild" exploits.
The company "strongly" urges customers to upgrade all vulnerable instances of their Citrix platforms. For any organization running YARA, signatures are available.
The Health Information Sharing and Analysis Center has also issued multiple bulletins about the Citrix vulnerability and encourages members to apply the updates as soon as possible, says Errol Weiss, H-ISAC chief security officer.
"Citrix ADC and Citrix Gateway are popular technologies used by many healthcare sector organizations," he says. "Left unpatched, an adversary could gain access to corporate networks, leaving them vulnerable to devastating cyberattacks like ransomware and intellectual property theft."
Health-ISAC also shared with its members unclassified guidance from the National Security Agency on how to detect the presence of hackers exploiting the vulnerability in Citrix ADC boxes.
The unauthenticated remote arbitrary code execution vulnerability affects certain versions of Citrix ADC and Citrix Gateway, including:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32;
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25;
- Citrix ADC 12.1-FIPS before 12.1-55.291;
- Citrix ADC 12.1-NDcPP before 12.1-55.291.
The issue affects versions of the two platforms configured as a Security Assertion Markup Language service provider or identity provider.
Citrix in an advisory says its customers can determine if their Citrix ADC or Citrix Gateway is configured as a SAML SP or a SAML IdP by inspecting the ns.conf file.
The NSA says that if an organization detects a compromise, it should:
- Move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication - ideally, multifactor.
- Isolate the Citrix ADC appliances from the environment to contain any malicious activity.
- Restore the Citrix ADC to a known good state.