Credit: Dreamstime
The Royal ransomware group is believed to be actively exploiting a critical security flaw affecting Citrix systems, according to the cyber research team at cyber insurance provider At-Bay.
Announced by Citrix on 8 November 2022, the vulnerability, identified as CVE-2022-27510, allows for the potential bypass of authentication measures on two Citrix products: the Application Delivery Controller (ADC) and Gateway.
There were no known instances of the vulnerability being exploited in the wild at the time of disclosure. However, as of the first week of 2023, At-Bay’s cyber researchers claimed new information suggests the Royal ransomware group is now actively exploiting it.
Royal, which is considered one of the more sophisticated ransomware groups, emerged in January 2022 and was particularly active in the second half of last year.
How the Royal ransomware group exploits CVE-2022-27510
As soon as the Citrix vulnerability was published, the At-Bay cyber research team began assessing the magnitude of the risk and identifying businesses that might be exposed, wrote Adi Dror, At-Bay cyber data analyst, in a report.
“Data from our scans, information gleaned from claims data, and other intelligence gathered by our cyber research team point to the Citrix vulnerability CVE-2022-27510 as the initial point of access utilised by the Royal ransomware group to launch a recent ransomware attack,” he added.
The suspected exploitation method of the Citrix vulnerability by the Royal ransomware group is in line with the exploitation of similar vulnerabilities seen in the past, Dror continued.
It appears Royal is exploiting this authentication bypass vulnerability in Citrix products to gain unauthorised access to devices with Citrix ADC or Citrix Gateway and launch ransomware attacks.
“Exploiting vulnerabilities in servers is one of the most common attack vectors for ransomware groups – especially critical infrastructure servers like those provided by Citrix. However, what sets this instance apart is that the ransomware group is using the Citrix vulnerability before there is a public exploit.”
The following versions of the Citrix ADC and Citrix Gateway are affected by CVE-2022-27510, according to Dror:
|
Product |
Affected Versions |
Fixed Versions |
|
Citrix ADC and Citrix Gateway 13.1 |
Before 13.1-33.47 |
13.1-33.47 and later |
|
Citrix ADC and Citrix Gateway 13.0 |
Before 13.0-88.12 |
13.0-88.12 and later |
|
Citrix ADC and Citrix Gateway 12.1 |
Before 12.1-65.21 |
12.1-65.21 and later |
|
Citrix ADC 12.1-FIPS |
Before 12.1-55.289 |
12.1-55.289 and later |
Businesses using any of the affected Citrix products are urged to patch the vulnerable software and follow the mitigation methods recommended by Citrix.
“Even for clients who have not received a Security Alert, it’s important for them to check if they’re running vulnerable products and patch immediately,” Dror stated.
Royal ransomware group an active, evasive threat to businesses
The Royal group significantly ramped up its operations in the closing months of 2022 and developed its own custom ransomware program that allows attackers to perform flexible and fast file encryption.
“It's ransomware, which the group deploys through different TTPs, has impacted multiple organisations across the globe,” researchers from security firm Cybereason said in a recent report.
The group’s tactics bear similarities to those of Conti, prompting suspicion that it’s partly made up of former members of the infamous group that shut down in May 2022.
The Royal group is known to use phishing as an initial attack vector, as well as third-party loaders such as BATLOADER and Qbot for distribution.
Initial access is typically followed by the deployment of a Cobalt Strike implant for persistence and to move laterally inside the environment in preparation for dropping the ransomware payload. The tactics used by Royal allow for the group to evade detection with partial encryption.
