February 23, 2024

The Royal ransomware group is believed to be actively exploiting a important safety flaw affecting Citrix techniques, in accordance with the cyber analysis group at cyber insurance coverage supplier At-Bay. Announced by Citrix on November 8, 2022, the vulnerability, recognized as CVE-2022-27510, permits for the potential bypass of authentication measures on two Citrix merchandise: the Utility Supply Controller (ADC) and Gateway.

There have been no recognized cases of the vulnerability being exploited within the wild on the time of disclosure. Nonetheless, as of the primary week of 2023, At-Bay’s cyber researchers claimed new data suggests the Royal ransomware group is now actively exploiting it. Royal, which is taken into account one of many extra refined ransomware teams, emerged in January 2022 and was significantly energetic within the second half of final 12 months.

How the Royal ransomware group exploits CVE-2022-27510

As quickly because the Citrix vulnerability was revealed, the At-Bay cyber analysis group started assessing the magnitude of the danger and figuring out companies that may be uncovered, wrote Adi Dror, At-Bay cyber knowledge analyst, in a report. “Knowledge from our scans, data gleaned from claims knowledge, and different intelligence gathered by our cyber analysis group level to the Citrix vulnerability CVE-2022-27510 because the preliminary level of entry utilized by the Royal ransomware group to launch a latest ransomware assault,” he added.

The suspected exploitation methodology of the Citrix vulnerability by the Royal ransomware group is in keeping with the exploitation of comparable vulnerabilities seen prior to now, Dror continued. It seems Royal is exploiting this authentication bypass vulnerability in Citrix merchandise to achieve unauthorized entry to units with Citrix ADC or Citrix Gateway and launch ransomware assaults. “Exploiting vulnerabilities in servers is likely one of the commonest assault vectors for ransomware teams – particularly important infrastructure servers like these offered by Citrix. Nonetheless, what units this occasion aside is that the ransomware group is utilizing the Citrix vulnerability earlier than there’s a public exploit.”

The next variations of the Citrix ADC and Citrix Gateway are affected by CVE-2022-27510, in accordance with Dror:


Affected Variations

Mounted Variations

Citrix ADC and Citrix Gateway 13.1

Earlier than 13.1-33.47

 13.1-33.47 and later

Citrix ADC and Citrix Gateway 13.0

Earlier than 13.0-88.12

13.0-88.12 and later

Citrix ADC and Citrix Gateway 12.1 

Earlier than 12.1-65.21      

12.1-65.21 and later

Citrix ADC 12.1-FIPS

Earlier than 12.1-55.289

12.1-55.289 and later

Companies utilizing any of the affected Citrix merchandise are urged to patch the vulnerable software and follow the mitigation methods recommended by Citrix. “Even for purchasers who haven’t obtained a Safety Alert, it’s vital for them to examine in the event that they’re operating weak merchandise and patch instantly,” Dror said.

Royal ransomware group an energetic, evasive menace to companies

The Royal group considerably ramped up its operations within the closing months of 2022 and developed its personal customized ransomware program that enables attackers to carry out versatile and quick file encryption. “Its ransomware, which the group deploys by way of totally different TTPs, has impacted a number of organizations throughout the globe,” researchers from security firm Cybereason said in a recent report.

The group’s ways bear similarities to these of Conti, prompting suspicion that it’s partly made up of former members of the notorious group that shut down in Could 2022. The Royal group is thought to make use of phishing as an preliminary assault vector, in addition to third-party loaders resembling BATLOADER and Qbot for distribution. Preliminary entry is often adopted by the deployment of a Cobalt Strike implant for persistence and to maneuver laterally contained in the atmosphere in preparation for dropping the ransomware payload. The ways utilized by Royal enable for the group to evade detection with partial encryption.

Copyright © 2023 IDG Communications, Inc.