At-Bay cyber research team believes the Royal ransomware group is actively exploiting critical Citrix system security flaw CVE-2022-27510. Credit: undefined undefined / Getty Images The Royal ransomware group is believed to be actively exploiting a critical security flaw affecting Citrix systems, according to the cyber research team at cyber insurance provider At-Bay. Announced by Citrix on November 8, 2022, the vulnerability, identified as CVE-2022-27510, allows for the potential bypass of authentication measures on two Citrix products: the Application Delivery Controller (ADC) and Gateway.There were no known instances of the vulnerability being exploited in the wild at the time of disclosure. However, as of the first week of 2023, At-Bay’s cyber researchers claimed new information suggests the Royal ransomware group is now actively exploiting it. Royal, which is considered one of the more sophisticated ransomware groups, emerged in January 2022 and was particularly active in the second half of last year.How the Royal ransomware group exploits CVE-2022-27510As soon as the Citrix vulnerability was published, the At-Bay cyber research team began assessing the magnitude of the risk and identifying businesses that might be exposed, wrote Adi Dror, At-Bay cyber researcher, in a report. “Data from our scans, information gleaned from claims data, and other intelligence gathered by our cyber research team point to the Citrix vulnerability CVE-2022-27510 as the initial point of access utilized by the Royal ransomware group to launch a recent ransomware attack,” she added. The suspected exploitation method of the Citrix vulnerability by the Royal ransomware group is in line with the exploitation of similar vulnerabilities seen in the past, Dror continued. It appears Royal is exploiting this authentication bypass vulnerability in Citrix products to gain unauthorized access to devices with Citrix ADC or Citrix Gateway and launch ransomware attacks. “Exploiting vulnerabilities in servers is one of the most common attack vectors for ransomware groups – especially critical infrastructure servers like those provided by Citrix. However, what sets this instance apart is that the ransomware group is using the Citrix vulnerability before there is a public exploit.” The following versions of the Citrix ADC and Citrix Gateway are affected by CVE-2022-27510, according to Dror:ProductAffected VersionsFixed VersionsCitrix ADC and Citrix Gateway 13.1Before 13.1-33.47 13.1-33.47 and laterCitrix ADC and Citrix Gateway 13.0Before 13.0-88.1213.0-88.12 and laterCitrix ADC and Citrix Gateway 12.1 Before 12.1-65.21 12.1-65.21 and laterCitrix ADC 12.1-FIPSBefore 12.1-55.28912.1-55.289 and later Businesses using any of the affected Citrix products are urged to patch the vulnerable software and follow the mitigation methods recommended by Citrix. “Even for clients who have not received a Security Alert, it’s important for them to check if they’re running vulnerable products and patch immediately,” Dror stated. Royal ransomware group an active, evasive threat to businessesThe Royal group significantly ramped up its operations in the closing months of 2022 and developed its own custom ransomware program that allows attackers to perform flexible and fast file encryption. “Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe,” researchers from security firm Cybereason said in a recent report.The group’s tactics bear similarities to those of Conti, prompting suspicion that it’s partly made up of former members of the infamous group that shut down in May 2022. The Royal group is known to use phishing as an initial attack vector, as well as third-party loaders such as BATLOADER and Qbot for distribution. Initial access is typically followed by the deployment of a Cobalt Strike implant for persistence and to move laterally inside the environment in preparation for dropping the ransomware payload. The tactics used by Royal allow for the group to evade detection with partial encryption. Related content news Germany blames Russian hackers for months-long cyber espionage The attacks by Russia-backed Fancy Bear used an Outlook exploit to compromise several German officials’ accounts. By Shweta Sharma May 06, 2024 4 mins Advanced Persistent Threats Hacker Groups news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 06, 2024 9 mins RSA Conference Security feature AI governance and cybersecurity certifications: Are they worth it? Organizations have started to launch AI certifications in governance and cybersecurity but given how immature the space is and how fast it's changing, are these certifications worth pursuing? By Maria Korolov May 06, 2024 12 mins Certifications IT Training Careers news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe