Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Vulnerabilities

NSA warns of Chinese hacker group APT5 targeting Citrix ADC vulnerabilities

December 16, 2022
NSA warns of Chinese hacker group APT5 targeting Citrix ADC vulnerabilities

The National Security Agency (NSA) issued Tuesday a threat hunting guidance that provides steps for organizations to take in order to look for possible artifacts of Chinese hacker group APT5, which attacks Citrix Application Delivery Controller (ADC) vulnerabilities. Targeting Citrix ADC deployments can facilitate illegitimate access to breached organizations by bypassing normal authentication controls. 

Also known as UNC2630 and MANGANESE, APT5 has been attributed to a Chinese threat group that has targeted defense and technology companies for several years. The group has been exploiting a zero-day vulnerability in some Citrix ADC and Gateway devices in recent weeks that allows pre-authenticated remote code execution on vulnerable devices.

The NSA has recommended organizations hosting Citrix ADC environments must as part of their investigation treat these detection mechanisms as independent ways of identifying potentially malicious activity on impacted systems. Furthermore, it said that artifacts may vary based on the environment and the stage of that activity. As such, NSA recommends investigating any positive result even if other detections return no findings.

Citrix has in the meanwhile released builds to fix CVE-2022-27518, which affects Citrix ADC and Citrix Gateway versions 12.1, including FIPS and NDcPP, and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with a SAML (Security Assertion Markup Language) SP or IdP configuration to be affected.

“As part of our internal reviews and in working with our security partners, we have identified vulnerabilities in Citrix ADC and Citrix Gateway 12.1 and 13.0 before 13.0-58.32 builds,” Peter Lefkowitz, Citrix’s cloud software group’s chief security and trust officer, wrote in a company blog post. “Customers who are using an affected build with a SAML SP or IdP configuration are urged to install the recommended builds immediately as this vulnerability has been identified as critical (CTX474995). No workarounds are available for this vulnerability.”

Lefkowitz added that customers using the affected builds should either update to the current 12.1 build (including FIPS and NDcPP variants) or to the current 13.0 build (13.0-88.16). Customers using an affected build with a SAML SP or IdP configuration are urged to install the current build immediately. As an alternative, customers may upgrade to the 13.1 version, which is not affected.

Mandiant described APT5 as being active since at least 2007 targeting regional telecommunication providers, Asian-based employees of global telecommunications and tech firms, high-tech manufacturing, and military application technology in the U.S., Europe, and Asia. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. As early as 2014, Mandiant Incident Response discovered APT5 making unauthorized code modifications to files in the embedded operating system of another technology platform. 

“In 2015, APT5 compromised a U.S. telecommunications organization providing services and technologies for private and government entities,” Mandiant said. “During this intrusion, the actors downloaded and modified some of the router images related to the company’s network routers. Also during this time, APT5 stole files related to military technology from a South Asian defense organization. Observed filenames suggest the actors were interested in product specifications, emails concerning technical products, procurement bids and proposals, and documents on unmanned aerial vehicles (UAVs),” it added.

The NSA guidance said that a malicious actor enabling continued access will likely require modification to legitimate binaries. “Therefore, NSA recommends organizations regularly check key executables in their environments for any deviations from the known good copies associated with their running version. Key executables are those binaries essential for the proper execution of the Citrix ADC appliance. These files include, but may not be limited to: nsppe, nsaaad, nsconf, nsreadfile, and nsconmsg,” it added.

The MD5 hashes should be compared to known good hashes from the vendor or hashes of the respective binaries from a known good copy downloaded from the vendor. Any deviation requires further investigation, the guidance told organizations. 

NSA also recommends that organizations take scheduled tech support bundles and/or snapshots of their running environment and store them in an offline or otherwise immutable location to create a forensic history of systems. These backups can be used to compare running instances or to reconstruct events if suspicious activity is identified. 

Apart from any alterations of legitimate binaries, some of APT5’s activities may be visible in various system logs. NSA recommends that organizations leverage off-device logging mechanisms for all system logs, including ‘dmesg’ and ‘ns[dot]log,’ and actively monitor them. 

The NSA recommends monitoring for instances of ‘pb_policy’ appearing in logs without being linked to expected administrator activity, gaps in logs, or mismatches between logs on the device and in the remote logging solution. It also suggests tracking legitimate user account activity without a corresponding record of a valid SAML token being issued by the identity provider for the environment. It also warned of unauthorized modification of user permissions, and unauthorized modifications to the ‘crontab’ file and/or the existence of a suspicious file(s) in ‘/var/cron/tabs/’ and other locations.

In the event of organizations detecting the malware, NSA recommends that organizations move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication (ideally multi-factor) prior to being able to access the ADC. It also suggests isolating the Citrix ADC appliances from the environment to ensure any malicious activity is contained and restoring the Citrix ADC to a known good state.

“Even if you do not have any indications of malicious activity, ensure that your Citrix ADC appliances are running a current version with the latest updates,” the NSA guidance added.

In October, U.S. cybersecurity agencies rolled out a joint Cybersecurity Advisory (CSA) that provides details of the top Common Vulnerabilities and Exposures (CVEs) used by the People’s Republic of China (PRC) state-sponsored cyber hackers since 2020. The advisory largely builds on the fact that these cyber attackers continue exploiting known vulnerabilities to actively target U.S. and allied networks, including software and hardware companies, illegally obtaining intellectual property and developing access to sensitive networks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation