The National Security Agency (NSA) warns that cyber threat actor group APT5 has been actively exploiting a zero-day vulnerability in Citrix Application Delivery Controller (ADC) and Gateway to hijack systems.
The vulnerabilities “can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls,”, per the report. The NSA and its partners have attributed this attack to APT5, also known as “UNC2630”, and “MANGANESE”, a hacking group believed to be loyal to the People’s Republic of China.
“APT5 has demonstrated capabilities against Citrix Application Delivery Controller deployments,” the report says.
To assist with the detection and remediation of this, the NSA has provided YARA signatures.
In the event organizations see results from the detection mechanisms, the NSA recommends the following steps to help mitigate:
- Move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication (ideally multi-factor) prior to being able to access the ADC.
- Isolate the Citrix ADC appliances from the environment to ensure any malicious activity is contained.
- Restore the Citrix ADC to a known good state.
Citrix has now released a critical security update for Citrix ADC and Citrix Gateway, which is available on their website.
