Ransomware attack diagram

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

The recent surge in ransomware attacks has highlighted the vulnerability of organizations to cyber threats, with threat actors exploiting weaknesses in software and infrastructure to gain access to sensitive data. The Anubis ransomware operation has been observed using the Citrix Bleed 2 vulnerability to obtain initial access, emphasizing the need for organizations to prioritize cybersecurity and protect themselves against such threats. Citrix Bleed 2 (CVE-2025-5777) is a critical vulnerability that can be exploited by threat actors to gain access to an organization's network.

Ransomware Tactics and Techniques

Ransomware groups, including those associated with the Anubis operation, have been observed using a range of tactics and techniques to gain access to organizations' networks. These include the use of legitimate Remote Management and Monitoring (RMM) tooling to gain initial access, as well as the exploitation of vulnerabilities such as Citrix Bleed 2. The use of RMM tooling allows threat actors to blend in with legitimate traffic, making it more difficult for organizations to detect and respond to the threat.

The Anubis ransomware operation has also been observed using credential access and hands-on-keyboard procedures to move laterally within a network and gain access to sensitive data. This highlights the importance of implementing robust security controls, such as multi-factor authentication and least privilege access, to prevent threat actors from gaining access to sensitive data.

Vulnerability Exploitation

The Citrix Bleed 2 vulnerability is a critical weakness that can be exploited by threat actors to gain access to an organization's network. The vulnerability allows threat actors to bypass authentication and gain access to sensitive data, making it a high-priority target for ransomware groups. Organizations that have not patched the vulnerability are at risk of being exploited, highlighting the need for regular vulnerability assessments and patch management.

The exploitation of vulnerabilities such as Citrix Bleed 2 is a common tactic used by ransomware groups, including those associated with the Anubis operation. The use of exploit kits and other tools allows threat actors to quickly and easily exploit vulnerabilities, making it essential for organizations to stay ahead of the threat by implementing robust security controls.

Supply Chain Credentials

Ransomware groups, including those associated with the Anubis operation, have also been observed using supply chain credentials to gain access to organizations' networks. The use of supply chain credentials allows threat actors to gain access to sensitive data and move laterally within a network, highlighting the importance of implementing robust security controls throughout the supply chain.

The use of supply chain credentials is a tactic that is often overlooked by organizations, but it can have devastating consequences. Third-party vendors and other suppliers can provide a vulnerability that can be exploited by threat actors, making it essential for organizations to implement robust security controls and monitor their supply chain closely.

What This Actually Means For You

  1. The Anubis ransomware operation has been observed using the Citrix Bleed 2 vulnerability to obtain initial access, highlighting the need for organizations to prioritize patch management and vulnerability assessments.
  2. Ransomware groups are using a range of tactics and techniques to gain access to organizations' networks, including the use of legitimate RMM tooling and the exploitation of vulnerabilities.
  3. Implementing robust security controls, such as multi-factor authentication and least privilege access, is essential to preventing threat actors from gaining access to sensitive data.
  4. Organizations should monitor their supply chain closely and implement robust security controls to prevent the use of supply chain credentials by threat actors.
  5. Regular security awareness training and phishing simulations can help prevent employees from falling victim to social engineering attacks.

Immediate Action Steps

Organizations should take immediate action to protect themselves against ransomware threats, including patching the Citrix Bleed 2 vulnerability and implementing robust security controls. This includes multi-factor authentication and least privilege access, as well as regular vulnerability assessments and patch management. Additionally, organizations should monitor their supply chain closely and implement robust security controls to prevent the use of supply chain credentials by threat actors.

Organizations should also provide regular security awareness training and phishing simulations to help prevent employees from falling victim to social engineering attacks. This can help prevent threat actors from gaining access to sensitive data and reduce the risk of a successful ransomware attack.

Frequently Asked Questions

What is the Citrix Bleed 2 vulnerability?

The Citrix Bleed 2 vulnerability is a critical weakness that can be exploited by threat actors to gain access to an organization's network. It allows threat actors to bypass authentication and gain access to sensitive data, making it a high-priority target for ransomware groups.

How do ransomware groups use supply chain credentials?

Ransomware groups use supply chain credentials to gain access to organizations' networks and move laterally within a network. The use of supply chain credentials allows threat actors to gain access to sensitive data and blend in with legitimate traffic, making it more difficult for organizations to detect and respond to the threat.

What can organizations do to prevent ransomware attacks?

Organizations can prevent ransomware attacks by implementing robust security controls, including multi-factor authentication and least privilege access. Regular vulnerability assessments and patch management are also essential to preventing the exploitation of vulnerabilities such as Citrix Bleed 2.

What Do You Think?

As the threat landscape continues to evolve, it's essential for organizations to stay ahead of the threat by implementing robust security controls and prioritizing cybersecurity. What do you think is the most critical step organizations can take to prevent ransomware attacks, and how can they balance the need for security with the need for convenience and accessibility?

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.