Customer Advisory: Citrix ADC and Citrix Gateway Critical Vulnerability (CVE-2022-27518) Actively Exploited

Summary

Citrix has acknowledged [2] that cybercriminals have exploited a critical vulnerability (CVE-2022-27518 with a CVSSv3 9.8) in a few targeted attacks affecting Citrix ADC and Citrix Gateway devices. The National Security Agency (NSA) released a Cybersecurity Advisory [4] warning of APT5’s ability to target and exploit Citrix ADC deployments. Assuming that APT5 is behind at least some of the attacks, it is likely that they will continue exploiting this vulnerability, sharing the exploit with other Chinese state-sponsored cybercriminals. The Adversary Tactics and Intelligence Team assesses that it is highly likely that other cybercriminals have or will obtain the capability to exploit this vulnerability, scan for vulnerable devices, and attempt to exploit them.

Citrix stated in the security bulletin [1], the vulnerability, if exploited, could allow a remote, unauthenticated cybercriminal to perform arbitrary code execution, resulting in the stealing of sensitive data, operational disruption, deployment of ransomware or other malware, and lateral movement to other sensitive systems. Citrix Gateway and ADC versions affected are 13.0 before 13.0-58.32, 12.1 before 12.1-65.25, 12.1-FIPS before 12.1-55.291, and 12.1-NDcPP before 12.1-55.291.

Organizations should use the NSAs detection methodology found in their Cybersecurity Advisory [4] and follow their recommendations if they have results. If organizations do not have results, they should upgrade to one of the latest Citrix Gateway and ADC versions, found in their security bulletin [1], to protect their systems from this vulnerability.

What Happened?

On 13 December, Citrix released a security bulletin for a vulnerability in Citrix Gateway and Citrix ADC devices, acknowledging in a blog post that they are “aware of a small number of targeted attacks in the wild.” On the same day, the National Security Agency (NSA) released a Cybersecurity Advisory (CSA), “APT5: Citrix ADC Threat Hunting Guidance,” due to APT5 demonstrating capabilities to target and exploit Citrix ADC deployments.

APT5 Background

According to Mandiant, APT5 has been active since 2007, targeting or compromising organizations across multiple industries, focusing on the information sector, especially information about satellite communications. 

According to Mandiant, APT 5 has conducted the following intrusions and activities:

• Made unauthorized code modifications to files in the embedded operating system of another technology platform. 
• Compromised a U.S. telecommunications organization providing services and technologies for private and government entities.
• During this intrusion, the actors downloaded and modified some router images related to the company’s network routers. 
• Exfiltrated files related to military technology from a South Asian defense organization, exfiltrated file names suggest they were interested in product specifications, emails concerning technical products, procurement bids, proposals, and documents on unmanned aerial vehicles (UAVs).

The vulnerability, if exploited, could allow a remote unauthenticated threat actor to perform arbitrary code execution on the appliance, resulting in the stealing of sensitive data, operational disruption, deployment of ransomware or other malware, and lateral movement to other sensitive systems. This vulnerability, tracked as CVE-2022-27518, has a CVSSv3 score of 9.8. 

The following versions of Citrix Gateway and ADC are affected:

• Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 
• Citrix ADC 12.1-FIPS before 12.1-55.291 
• Citrix ADC 12.1-NDcPP before 12.1-55.291

Impact

Citrix Gateway and ADC are typically internet-facing, offering cybercriminals easy access to organizational networks. Organizations using one of the affected versions of Citrix Gateway and ADC are at risk of cybercriminals exploiting this vulnerability. It is essential to take action immediately to protect your systems and data from attack.

Exploiting public-facing applications [T1190] is one of the most observed techniques used by cybercriminals to gain initial access to corporate networks. Cybercriminals have routinely deployed Cobalt Strike, ransomware and other malware, stolen sensitive data, motivated by the financial gain from extorting the victim.

Cybercriminals who gained access to a corporate network to conduct extortion have implanted webshells and other malware; created services and registry keys to maintain persistence; moved laterally within the environment, seeking access to additional computers and file shares to exfiltrate sensitive data, and may encrypt computers and files.

Cybercriminals are mainly motivated by financial gain (extorting the victim to recover the exfiltrated data or selling the data on criminal marketplaces). However, some cybercriminals may be motivated by nation-state interests, exfiltrating sensitive data to further the national interest.

Cybercriminals Exploited Citrix Gateway & Citrix ADC in the Past

In October, the NSA published a CSA detailing the top CVEs exploited since 2020 by the People’s Republic of China (PRC) state-sponsored cybercriminals as assessed by the NSA, CISA, and the FBI. Of those vulnerabilities listed, one affected Citrix ADC. In early July, the NCC Group observed exploitation against Citrix ADC and Gateway less than a week after the public disclosure of the vulnerabilities.

Conclusions and Recommendations

Assuming APT5 has exploited the Citrix ADC and Gateway vulnerability, it is likely that they will continue exploiting this vulnerability. Furthermore, Chinese state-sponsored cybercriminals routinely share information amongst themselves, and other cybercriminals affiliated with China will likely exploit CVE-2022-27518.

Be On the Lookout (BOLO)

The NSA’s CSA includes commands and YARA signatures to detect APT5 exploitation artifacts targeting Citrix ADC and Gateway, and mitigation guidance.

• The following command can be executed from a shell to compare the binaries essential for proper execution of the Citrix ADC appliance. These files include, but may not be limited to: nsppe, nsaaad, nsconf, nsreadfile, and nsconmsg.
  • cd /netscaler ; for i in “nsppe nsaaad nsconf nsreadfile nsconmsg”; do md5 ${i} ; done
• The following command can indicate tampering by one APT5 technique. This is indicated by one line of output, but no output otherwise:
  • procstat –v $(pgrep –o –i nsppe) | grep “0x10400000 “ | grep “rwx”
• APT5 has been observed leveraging tools that run ‘pb_policy’ twice, creating the following logs in ns.log:
  • <local0.info> [hostname] pb_policy: Changing pitboss policy from X to Y
• <local0.info> [hostname] pb_policy: Changing pitboss policy from Y to X
• Note: X and Y are constant values for your system.
• The following command can assist in finding files that have been associated with unauthorized modifications to the crontab file and/or existence of suspicious file(s) in /var/cron/tabs/ and other locations. While these files have not been discovered in all environments, their presence may be indicative of APT5 activity if discovered.
  • find / -type f -name “res*” | grep -E ‘res($|\.[a-z]{3})$’

Recommendations

• In NSA’s threat hunting guidance report, they recommend organizations follow the mitigation guidance if they have results from their detection methodology:
  • Move all Citrix ADC instances behind a VPN or other capability that requires valid user authentication (ideally multi-factor) before accessing the ADC.
  •  Contain malicious activity by isolating the Citrix ADC appliances from the environment.
•  Restore the Citrix ADC to a known good state and update to the latest version listed in the “What Customers Should Do” section of Citrix’s bulletin.

Given that cybercriminals have already exploited the vulnerability, other cybercriminals are highly likely to have the capability to exploit it, and will scan for vulnerable devices and attempt to exploit the vulnerability. Cybercriminals successfully exploiting the vulnerability could sell the access gained on criminal marketplaces, resulting in post-exploitation activities, including data exfiltration and encryption for extortion or intellectual property theft.

Recommendations

• To protect your systems from this vulnerability, you should immediately upgrade to one of the Citrix Gateway and ADC versions listed in the “What Customers Should Do” section of the bulletin. 
• Deepwatch conducts further detection assessments and threat hunting from data reported in our intelligence reports. However, not all activity can be hunted, detected, or monitored due to limitations in log sources received by Deepwatch. If you have questions about which log sources you should be ingesting to hunt, detect, and monitor the relevant intelligence from this report, please direct your inquiry to your respective squad manager.

Sources:

1. Citrix. (2022, December 13). Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518. Support Knowledge Center. Retrieved December 13, 2022, from https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518
2. Lefkowitz Peter. (2022, December 13). Released: Citrix ADC and Citrix Gateway (security bulletin CTX474995) security update. Citrix Blogs. Retrieved December 13, 2022, from https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/
3. Mandiant. (n.d.). Advanced persistent threats (APTs): cybercriminals & groups. Mandiant Insight Blog. Retrieved December 13, 2022, from https://www.mandiant.com/resources/insights/apt-groups#:~:text=to%20the%20group.-,APT5,-Suspected%20attribution%3A%20China
4. National Security Agency. (2022, December 13). APT5: Citrix ADC threat hunting guidance – media.defense.gov. NSA Cybersecurity Advisories & Guidance. Retrieved December 13, 2022, from https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF
5. National Security Agency. (2022, October 6). Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors. NSA Cybersecurity Advisories & Guidance. Retrieved December 13, 2022, from https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF
6. RIFT: Research and Intelligence Fusion Team. (2020, July 11). Rift: Citrix ADC vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence. NCC Group Research. Retrieved December 13, 2022, from https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/

↑