30 January 2024

6 min read

Citrix vulnerabilities favoured by ransomware groups for initial access | Cyber Intelligence Briefing: 30 January

January 2024
Cyber Briefing News

 

Top news stories this week

  1. Cit-risks. S-RM identifies numerous ransomware attacks with Citrix vulnerabilities at the root.
  2. Tripartite crackdown. Australia, UK, and US sanction Russian individual involved in 2022 Medibank attack.
  3. Fortra bug. Proof-of-concept exploit for a vulnerability in critical GoAnywhere file transfer software released.
  4. In deep water. Major UK and US water suppliers impacted by separate ransomware attacks.
  5. Major breach. A massive database containing 26 billion stolen credentials comes to light.
  6. Cloud burst. Akira ransomware attack on Finnish cloud service provider disrupts services.

1. Citrix vulnerabilities favoured by ransomware groups for initial access

S-RM's Incident Response team has responded to numerous ransomware attacks in recent weeks that had Citrix vulnerabilities at the root. In over 90% of cases involving Citrix infrastructure, the threat actor exploited the well-known Citrix Bleed vulnerability, with only a small proportion having been traced back to the exploitation of a separate Citrix ShareFile vulnerability, CVE 2023-24489.

So what?

Read our full briefing for further information on how organisations using Citrix can protect themselves from attacks and limit the impact of Citrix-related intrusions when they happen.

[Researcher: David Broome] 


2. Australia, UK, and US sanction Russian national for 2022 Medibank attack

In a first use of its 2021 cyber sanctions legislation, Australia sanctioned Alexander Ermakov for his role in the 2022 cyber attack on health insurer Medibank. The Russian national is believed to have been a member of REvil, one of the most infamous Russia-based ransomware groups of all time. The US and UK joined Australia in sanctioning the individual, representing the first trilateral sanctions to be applied to a cybercriminal.

So what?

Organisations should work with trusted providers to navigate the increasingly complex sanctions landscape and thoroughly investigate the ethical, legal, and reputational ramifications of paying a ransom.

[Researcher: Aditya Ganjam Mahesh]


3. Exploit for critical GoAnywhere vulnerability released

A proof-of-concept (PoC) exploit has been released for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT file transfer solution. This vulnerability allows remote attackers to bypass authentication and create new users via the administration panel. The release of the PoC, which shows how the exploit is executed, could signal an increase in exploitations of this security flaw.

The ransomware group Cl0p has historically targeted MFT solutions in supply chain attacks because they typically contain large volumes of sensitive data, and a single compromise could breach numerous victims. Last year, the group leveraged a zero-day (CVE-2023-0669) in GoAnywhere MFT to breach over a hundred victims.

So what?

Organisations that use the self-hosted instances of Fortra’s GoAnywhere MFT should upgrade to the latest version of the software or employ the recommended mitigation strategies to protect their data.

[Researcher: Ineta Simkunaite]

 

Download now

 

4. Southern Water and Veolia North America impacted by separate ransomware attacks

UK water supplier Southern Water has confirmed it was the victim of a Black Basta ransomware attack after the group posted some of its sensitive data to their leak site. Separately, Veolia North America revealed its municipal water division was hit by a ransomware attack, resulting in delays to online payments and the potential compromise of personal data.

So what?

Organisations in critical infrastructure sectors should adopt a multi-layered approach to defence against potential threats and prioritise the development of comprehensive incident response and business continuity plans.

[Researcher: David Broome]


5. 26 billion records uncovered in precedent-setting breached data collection 

Researchers have discovered the largest collection of leaked data records identified to date. The repository merges collections of previously leaked data and reportedly contains credentials from numerous major brands and services, as well as records from government organisations in the US, Brazil, Germany, Turkey, and the Philippines. The collection, dubbed ‘the mother of all breaches’, underscores the enduring challenge of the sale and distribution of stolen credentials across the dark web.

So what?

Aggregated breached data can be leveraged by threat actors to gain unauthorised access to accounts as well as enable identity theft and phishing schemes. Robust password policies that prioritise unique passwords, alongside multi-factor authentication (MFA) can prevent attacks arising from leaked credentials.

[Researcher: Aditya Ganjam Mahesh]


6. Attack on cloud service provider disrupts businesses across Sweden

Finnish IT services and cloud service provider Tietoevry suffered an Akira ransomware attack, which impacted a Swedish datacenter. The attack has disrupted services for organisations reliant on their services across Sweden, including a human resources and payroll company used by most Swedish government agencies and national universities, a grocery store chain, national retailer, and a cinema chain.

So what?

Organisations must regularly perform due diligence on their service provider’s cyber security posture to ensure adequate security controls and should incorporate the disruption of primary service providers into their business continuity plans.

[Researcher: Jon Seland]

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Melissa DeOrio
Melissa DeOrio
Global Cyber Threat Intelligence Lead

Melissa DeOrio is Global Cyber Threat Intelligence Lead at S-RM. Melissa supports clients with a variety of proactive cyber services and supports cyber threat intelligence services. 

Before joining S-RM, Melissa supported US Federal Law Enforcement cyber investigations as a cyber targeter. In this role, Melissa utilized numerous cyber investigative techniques and methodologies to investigate cyber threat actors and groups including open-source intelligence techniques, cryptocurrency asset tracing as well as identifying and mapping threat actor tactics, techniques and procedures (TTPs) to provide tactical and strategic intelligence reports. Melissa began her career in corporate intelligence, where she specialized in Turkish regional investigations, managed a global team of researchers, and supported the development and implementation of a new compliance program at a leading management consulting firm.

Melissa holds a MSc in Security Studies from University College London and a BA in Political Science from the College of Saint Benedict and Saint John’s University. 

Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Melissa DeOrio
Melissa DeOrio

Global Cyber Threat Intelligence Lead

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.