general · TheHackerNews
Threat actors affiliated with the Anubis ransomware-as-a-service operation have been observed exploiting Citrix Bleed 2 (CVE-2025-5777, CVSS 9.3) to gain initial access to target environments, according to Arctic Wolf. The attackers combine this vulnerability with valid VPN credentials—sourced through prior compromise, initial access brokers, or credential stuffing—to establish footholds. Once inside, Anubis affiliates deploy legitimate remote management tools (ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC) for persistent access, then move laterally via RDP and PsExec, harvest credentials, and exfiltrate data using cloud-transfer utilities before deploying ransomware. The group, which emerged in late 2024 as a rebrand of Sphinx, has claimed 91 victims across healthcare, business services, manufacturing, technology, and financial services, with over half located in the U.S.
Organizations in regulated sectors—particularly defense contractors managing controlled unclassified information, healthcare providers subject to HIPAA, and financial services firms under PCI DSS—should prioritize patching Citrix NetScaler appliances and enforcing multi-factor authentication on VPN access to limit credential-based compromise. The abuse of legitimate RMM tools highlights the need for enhanced network monitoring and behavioral analytics to detect anomalous remote access patterns. Defense contractors handling CUI should verify that supply chain partners have applied critical Citrix patches and validated credential controls; healthcare and fintech teams should review access logs for suspicious VPN authentication from unexpected ASNs. An Omniware engagement can scope detection baselines and segmentation strategies in detail.
Source: The Hacker News - https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
Source: TheHackerNews
All briefings