Multiple ransomware operations are converging on a shared playbook that prioritizes stealth and prolonged network access over rapid encryption. According to analysis from Arctic Wolf, threat actors — including affiliates of the Anubis ransomware group — are exploiting the critical "Citrix Bleed 2" vulnerability to gain an initial foothold in target networks, then layering advanced techniques to evade detection while moving laterally.

The attack chains share common patterns despite differences between affiliates. A primary tactic involves the malicious use of legitimate Remote Management and Monitoring (RMM) tools. By deploying these commercially available packages, the threat actors blend their activities with normal system administration tasks, complicating identification by security operations centers.

The tradecraft extends well beyond initial access. Arctic Wolf observed attackers leveraging common entry points such as VPN logins and RDP sessions, then progressing to tools like PsExec for remote execution and cloud-transfer utilities to exfiltrate data. Bring Your Own Vulnerable Driver (BYOVD) attacks are used to bypass security controls and gain kernel-level access. Additionally, these operations make use of compromised credentials obtained through supply chain compromises, allowing threat actors to authenticate using trusted, legitimate accounts and further complicate detection. This hands-on-keyboard approach enables tailored, targeted compromise of each environment before any ransomware payload is deployed.

The findings present urgent priorities for network defenders. The foremost action is to immediately patch all internet-facing Citrix gateway systems against the "Citrix Bleed 2" vulnerability to shut down the initial access vector. Security teams must also implement strict policies to monitor and control the installation and use of RMM software within their environments to identify anomalous activity.

Beyond patching, organizations should harden systems against BYOVD techniques by restricting unsigned or vulnerable driver loads, review remote access protocols such as VPN and RDP for unusual authentication patterns, and audit the provenance of credentials used across their environment to guard against supply chain compromises. This multi-layered defense approach is critical to countering the advanced, persistence-focused playbook now shared across multiple ransomware operations — a clear evolution in the threat landscape.


多個勒索軟件操作正匯聚成一套共享的操作模式,優先考慮隱蔽性和長時間網絡存取而非快速加密。根據Arctic Wolf的分析,威脅行為者——包括Anubis勒索軟件組織的附屬組織——正利用關鍵的「Citrix Bleed 2」漏洞在目標網絡取得初始立足點,隨後層疊先進技術以規避偵測並進行橫向移動。

儘管各附屬組織之間存在差異,攻擊鏈共享常見模式。主要策略涉及惡意使用合法的遠端管理與監控(RMM)工具。透過部署這些商業可用的軟件套件,威脅行為者將其活動混入正常系統管理任務中,增加了安全營運中心識別威脅的難度。

此操作手法遠超初始存取範疇。Arctic Wolf觀察到攻擊者利用常見入口點如VPN登入和RDP會話,隨後使用PsExec等工具進行遠端執行,以及雲端傳輸工具外洩數據。「自帶易受攻擊驅動程式」(BYOVD)攻擊被用於繞過安全控制並獲取核心層級存取權。此外,這些操作利用透過供應鏈入侵獲得的被盜用憑證,使威脅行為者能夠使用受信任的合法帳戶進行驗證,並進一步複雜化偵測工作。這種人工操作方式可在部署任何勒索軟件有效負載之前,對每個環境進行有針對性的入侵。

這些發現為網絡防禦者確立了緊迫的優先事項。首要行動是立即為所有面向互聯網的Citrix閘道系統修補「Citrix Bleed 2」漏洞,以關閉初始存取向量。安全團隊亦必須實施嚴格政策,監控及控制其環境內RMM軟件的安裝和使用,以識別異常活動。

除修補漏洞外,組織應透過限制未簽署或易受攻擊的驅動程式載入來強化系統以抵禦BYOVD技術,審查如VPN和RDP等遠端存取協議的認證模式是否有異常,並審計其環境中使用的憑證來源,以防範供應鏈入侵。這種多層次防禦方法對於對抗現時多個勒索軟件操作共享的先進、以持久性為焦點的操作模式至關重要——這代表了威脅格局的明確演進。

新聞來源 / Original News Source