Anubis Ransomware Exploits Citrix Bleed 2 Vulnerability

Β·
Listen to this article~5 min
Anubis Ransomware Exploits Citrix Bleed 2 Vulnerability

Anubis ransomware affiliates are exploiting the Citrix Bleed 2 vulnerability (CVE-2025-5777) for initial access, using legitimate RMM tools, BYOVD attacks, and supply chain credential theft to move laterally and escalate privileges.

Cybercriminals are always looking for new ways to break into networks, and the Anubis ransomware crew has found a fresh one. They're now exploiting a vulnerability called Citrix Bleed 2, officially tracked as CVE-2025-5777, to get their initial foothold. This isn't just another random attackβ€”it's a sign of how these groups are evolving their tactics to stay ahead of defenses. If you're responsible for keeping your organization safe, this should be on your radar. The Anubis group isn't working alone; they're part of a larger ecosystem of affiliates who share tools and techniques. And what they're doing now is pretty clever, using tools that are supposed to be helpful for IT teams. ### How They Get In The first step in these attacks is exploiting the Citrix Bleed 2 vulnerability. This flaw affects Citrix appliances, which are widely used for remote access. Once they're in, the attackers don't waste time. They deploy legitimate Remote Management and Monitoring (RMM) tools to blend in with normal network traffic. This makes it much harder for security systems to spot them. Here's what typically happens after they gain access: - They use RMM tools to move around the network without raising alarms. - They steal credentials, often by dumping password hashes from compromised systems. - They perform hands-on-keyboard actions to manually explore and map out the network. ### The Role of BYOVD Attacks Another tactic these ransomware groups use is the Bring Your Own Vulnerable Driver (BYOVD) technique. This involves loading a legitimate but outdated driver that has a known security flaw. Once loaded, the attacker can use that flaw to escalate privileges or disable security software. It's a sneaky way to bypass protections that would normally stop malware. BYOVD attacks are becoming more common because they're effective. The driver itself isn't malicious, so it can slip past antivirus scans. But once it's running, it gives the attacker deep control over the system. For defenders, this means you can't just rely on signature-based detection anymore. ### Supply Chain Credential Theft There's another layer to this story: supply chain credentials. The Anubis affiliates aren't just stealing passwords from the initial victim. They're using those stolen credentials to pivot into connected systems. This could include vendors, partners, or even cloud services tied to the target organization. By compromising one company, they can potentially reach many others. This is a major concern for businesses that share access with third parties. If your vendor gets hit, your data could be at risk too. The attackers know this, and they exploit these trust relationships to maximize their damage. ### What You Can Do About It Defending against these threats requires a multi-layered approach. Here are some practical steps: - Keep your Citrix appliances patched. The Citrix Bleed 2 vulnerability has a fix available, so apply it as soon as possible. - Monitor for unusual use of RMM tools. If you see remote management software running where it shouldn't be, investigate immediately. - Implement driver blocklists to prevent BYOVD attacks. Tools like Microsoft's WDAC can help. - Use strong authentication for all third-party access. Multi-factor authentication is a must. - Regularly audit your supply chain connections. Know who has access to your network and why. Staying safe in today's threat landscape isn't easy. Attackers are constantly refining their methods, and the Anubis group is a good example of that. But by understanding their tactics, you can take steps to protect your organization. Keep your systems updated, watch for suspicious activity, and don't underestimate the value of basic security hygiene. It might just be what stops the next attack.