Users of the Citrix Application Delivery Controller (ADC) and Citrix Gateway are strongly encouraged to verify that their systems are not exposed to a dangerous unauthenticated remote code execution vulnerability that is currently being targeted by a highly skilled Chinese advanced persistent threat (APT) actors, as well as potentially other state-sponsored hacking groups. Healthcare organizations that use Citrix ADC and Gateway are vulnerable to CVE-2022-27518, a critical authentication bypass vulnerability with a CVSS v3 severity rating of 9.8 out of 10. Exploitation of this flaw could allow an unauthenticated actor to remotely execute code and completely compromise the system, making it essential for healthcare organizations to apply the security patch as soon as possible. The patch will ensure the constant availability of critical clinical applications, such as electronic medical records, and will maintain secure remote access with single sign-on across all applications.
The Health Sector Cybersecurity Coordination Center (HC3) recently issued an alert about a flaw that was exploited in cyberattacks on healthcare organizations. It was not possible to attribute the cyberattacks to any specific threat actor. However, Mandiant has observed a Chinese state-sponsored hacking group known as APT5 (aka UNC2630, Keyhole Panda, Manganese), exploiting the same vulnerability. This APT actor has been active since at least 2007 and primarily targets technology and telecommunications companies, although organizations from other sectors have also been attacked. HC3 has urged all healthcare organizations to review their inventories to determine if they use Citrix ADC or Citrix Gateway, as these platforms may be vulnerable. If so, patching should be prioritized. The vulnerability affects versions of Citrix ADC and Gateway configured as a Security Assertion Markup Language service provider (SAML SP) or identity provider (SAML IdP).
The HC3 also urged healthcare organizations to review their inventories to ascertain whether they are using versions 13.0 prior to version 13.0-58.32, 12.1 prior to version 12.1-65.25, 12.1-FIPS prior to version 12.1-55.291, and 12.1-NDcPP prior to version 12.1-55.291 of Citrix ADC or Citrix Gateway, as these platforms may be vulnerable. To determine if they are at risk, users should inspect the ns.conf file for the two commands, “add authentication samlAction” and “add authentication samlIdPProfile”. If either command is found, the instance is likely vulnerable and should be patched right away. It is also highly recommended to check for reported breaches and utilize YARA signatures from the HC3 alert. If any malicious activity is discovered, all Citrix instances should be moved behind a VPN or other authentication measures should be implemented and multifactor authentication should be enabled. Lastly, if any Citrix ADC appliances are located in environments with suspicious activity, they should be immediately isolated and restored to their last known good state.