The National Security Agency said on Tuesday that Chinese state-backed hackers are exploiting a flaw in a widely used networking device that allows an attacker to carry out remote code execution.
In its advisory, the NSA said it believes a Chinese hacking crew known as APT5 “has demonstrated capabilities” against an application delivery controller made by Citrix. Citrix released an emergency patch to fix the vulnerability on Monday and said that “exploits of this issue on unmitigated appliances in the wild have been reported.”
The spy agency’s advisory effectively burns down an apparent Chinese intelligence operation by exposing its tools and advising potential victims on how to prevent further attacks. The NSA has historically preferred to monitor such attacks rather than publicizing them, but in recent years it has grown more proactive in sharing intelligence on attackers such as APT5.
Now that they’ve been burned, the hackers behind the operation targeting Citrix may step up the pace of their attacks. “Chinese actors with a history of using zero days often ramp up after they’ve been discovered,” said John Hultquist, the vice president for intelligence analysis at Mandiant. While they are undetected, these groups will try to avoid tripping the alarm, but “after the zero day is observed all bets are off,” he said.
Active since at least 2007, APT5 is a well-known Chinese hacking group with a history of attacking networking companies and devices. The group has a history of attacking telecommunications and technology firms, with a particular interest in defense-related technology. In 2019, the group was caught attacking virtual private networks to steal user credentials and monitor traffic.
The revelation of the Citrix flaw on Tuesday comes a day after Fortinet revealed a severe vulnerability that also allows remote code execution for one of its VPN products. The company said it was aware of “an instance where this vulnerability was exploited in the wild” but did not attribute the attack. The company urged its customers to patch affected systems immediately.
The news of the Citrix vulnerability so shortly after the Fortinet flaws means that large numbers of systems may be exposed to attack until patches are implemented on affected systems.
“Combined with the recent Fortinet vulnerability it could make for a lousy Christmas,” said Allan Liska, an intelligence analyst at Recorded Future. “The two are equally bad in terms of being remote code execution and pre-auth. They are also both devices that tend to be publicly accessible from the internet, which means bad guys are likely already scanning for potential victims.”