HHS urges prompt patch of critical Citrix flaw after healthcare entities exploited

Provider organizations are being urged to prioritize patching of a critical vulnerability in the Citrix Application Delivery Controller and Gateway platforms, as threat actors have already compromised multiple healthcare entities by exploiting the flaw.

Ranked 9.8 in severity, the Department of Health and Human Services Cybersecurity Coordination Center alert warns the vulnerability can allow an unauthenticated remote attacker to execute commands and completely compromise targeted systems.

“Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls,” according to the National Security Agency threat hunting guidance specific to the Citrix ADC targeting.

The CVE-2022-27518 flaw is used in Citrix products across multiple sectors and is currently under active exploit “by a highly capable state-sponsored adversary.” Given the ongoing targeting, Citrix is limiting the details it releases about the flaw.

Citrix has issued a patch for the zero-day vulnerability and a blog describing the problem and needed mitigation measures. The permanent fixes are available to download through Citrix. 

As noted in the HC3 alert, the concern is that the flaw is currently being targeted and successfully exploited by APT5, or UNC2630, a Chinese state-sponsored advanced persistent threat. HCS notes that the specific attacker has not yet been identified in the attacks and compromises on U.S. healthcare organizations. 

Versions 12.1, including FIPS and NDcPP, and 13.0 before 13.0-58.32 are affected by the flaw. Citrix researchers explained that both of the platforms “must be configured with an SAML SP or IdP configuration to be affected. Entities using “an affected build with a SAML SP or IdP configuration are urged to install the recommended builds immediately.”

There are no available workarounds for the security issue and it’s “not possible to fix the vulnerability with Web Application Firewall signatures.”

Provider organizations should review the HC3 alert and Citrix security bulletin for details into remediation needs. Those ‘running affected builds” should review their inventory for these systems and prioritize the implementation of these patches and “set up audit logging to monitor for unauthorized activity on ADC or Gateway devices.”

Citrix recommended organizations review the NSA alert for insights into the detection and mitigation of the tools used in these ongoing attacks. The guidance includes measures entities can take to look for possible artifacts specific to the ongoing activity against the affected Citrix platforms.

NSA also share IOCs and YARA signatures that can detect malware the agency has observed threat actors using in this particular campaign.

“Treat these detection mechanisms as independent ways of identifying potentially malicious activity on impacted systems,” according to the NSA guidance. “Artifacts may vary based on the environment and the stage of that activity. As such, NSA recommends investigating any positive result even if other detections return no findings.”

Further, if a compromise is detected, entities should shift all Citrix ADC instances behind a virtual private network or another tool that requires a valid user authentication before it’s allowed to access the ADC. The Citrix ADC appliances should also be isolated from the environment to contain any malicious activity, while restoring the affected platform to a known good state.

The NSA added that even if an entity does not find any indications of malicious activity during its investigation, it’s imperative to verify that the organization is running current versions of Citrix ADC appliances. Those who find new discoveries or additional information should share it with the NSA.