AI Security AI安全 8d ago Updated 7d ago 更新于 7天前 42

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials 勒索软件团伙转向利用Citrix Bleed 2、BYOVD和供应链凭证

Anubis ransomware affiliates exploit Citrix Bleed 2 (CVE-2025-5777) and valid VPN credentials for initial access, leveraging legitimate RMM tools for persistence and lateral movement. The Gentlemen RaaS group utilizes a custom Go-based backdoor and Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass endpoint security and achieve kernel-level access. Both groups employ aggressive defense evasion strategies, including disabling antivirus software, clearing logs, and deleting encryptors p Anubis勒索软件团伙利用Citrix Bleed 2漏洞及合法VPN凭证获取初始访问权限,并通过滥用ScreenConnect等正规RMM工具进行横向移动以规避检测。 The Gentlemen RaaS团伙采用Go语言后门程序实现双向通信与SOCKS代理,并利用Kontron驱动程序的零日漏洞通过BYOVD技术获取内核级权限以绕过端点安全防御。 攻击者普遍采用“带病驱动”(BYOVD)、供应链凭证滥用及合法管理工具伪装等高级战术,旨在瘫痪Windows Defender等安全软件并建立持久化控制。

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • Anubis ransomware affiliates exploit Citrix Bleed 2 (CVE-2025-5777) and valid VPN credentials for initial access, leveraging legitimate RMM tools for persistence and lateral movement.
  • The Gentlemen RaaS group utilizes a custom Go-based backdoor and Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass endpoint security and achieve kernel-level access.
  • Both groups employ aggressive defense evasion strategies, including disabling antivirus software, clearing logs, and deleting encryptors post-execution to hinder forensic analysis.
  • Anubis uses an irreversible data-wiping feature (/WIPEMODE) to increase pressure on victims, while The Gentlemen uses SOCKS proxies to pivot within networks.

Why It Matters

This highlights a significant shift in ransomware tradecraft where threat actors increasingly rely on legitimate administrative tools (RMM) and supply chain vulnerabilities (BYOVD) to blend in with normal IT operations, making detection difficult for traditional security monitoring. It underscores the critical risk posed by unpatched infrastructure components like Citrix NetScaler and the growing effectiveness of kernel-level exploits in neutralizing modern endpoint protection platforms.

Technical Details

  • Anubis TTPs: Exploits CVE-2025-5777 (CVSS 9.3) in Citrix NetScaler ADC/Gateway; abuses tools like ScreenConnect, Zoho Assist, and MeshAgent for lateral movement; employs cloud-transfer tools (rclone, WinSCP) and Cloudflare Tunnels for exfiltration.
  • The Gentlemen Backdoor: A Go-based implant that establishes bidirectional TCP connections, executes commands via cmd.exe, and sets up SOCKS proxies for network pivoting; communicates with C2 server 81.177.215[.]15:9443.
  • BYOVD Exploitation: The Gentlemen weaponizes a zero-day vulnerability in ktapi.sys (Kontron API) to gain kernel access, allowing them to kill protected processes from Microsoft, ESET, Palo Alto Networks, and SentinelOne.
  • Defense Evasion: Anubis disables Windows Defender and Sophos, manipulates logs, and deletes the encryptor binary after execution; The Gentlemen uses kernel-level access to bypass security controls entirely.

Industry Insight

Organizations must prioritize patching critical infrastructure vulnerabilities like Citrix Bleed 2 and implement strict network segmentation to limit lateral movement via RDP and SMB. Security teams should enhance monitoring for anomalous usage of legitimate RMM and remote access tools, as well as detect kernel-level process termination activities indicative of BYOVD attacks. Additionally, adopting zero-trust architectures and verifying the integrity of third-party drivers can mitigate the risks associated with supply chain and kernel exploits.

TL;DR

  • Anubis勒索软件团伙利用Citrix Bleed 2漏洞及合法VPN凭证获取初始访问权限,并通过滥用ScreenConnect等正规RMM工具进行横向移动以规避检测。
  • The Gentlemen RaaS团伙采用Go语言后门程序实现双向通信与SOCKS代理,并利用Kontron驱动程序的零日漏洞通过BYOVD技术获取内核级权限以绕过端点安全防御。
  • 攻击者普遍采用“带病驱动”(BYOVD)、供应链凭证滥用及合法管理工具伪装等高级战术,旨在瘫痪Windows Defender等安全软件并建立持久化控制。

为什么值得看

本文揭示了当前高级持续性威胁(APT)和勒索软件即服务(RaaS)团伙在攻击链上的最新演变,特别是从单纯漏洞利用转向混合使用合法工具和供应链信任的技术趋势。对于安全从业者而言,理解BYOVD和RMM工具滥用机制是提升企业边界防御和内部监控能力的关键,有助于制定更有效的检测和响应策略。

技术解析

  • Anubis攻击链细节:利用CVE-2025-5777(CVSS 9.3)绕过Citrix认证,结合窃取的有效Cisco AnyConnect VPN凭证进入网络。随后通过RDP和PsExec进行横向移动,部署ScreenConnect、Zoho Assist等正规RMM工具维持控制权,并使用Cloudflare Tunnel进行数据外传。
  • 反取证与防御规避:Anubis团伙在加密前会禁用Windows Defender实时保护、卸载Sophos杀毒软件、清除系统日志,甚至执行后删除加密器本体以减少磁盘残留证据。其特有的/WIPEMODE模块可将文件置零而不删除,增加受害者支付赎金的压力。
  • The Gentlemen后门机制:该团伙使用基于Go语言的后门植入物,通过TCP连接向外部服务器(81.177.215[.]15:9443)发送系统信息。根据接收到的字节指令,可选择执行CMD命令或建立SOCKS代理,便于红队团队在内网中 pivoting( pivoting )和扩大扫描范围。
  • BYOVD内核提权:The Gentlemen利用Kontron开发的ktapi.sys驱动程序中的零日漏洞,通过Bring Your Own Vulnerable Driver技术获取内核级访问权限。此举允许攻击者直接终止受保护的Microsoft、ESET、Palo Alto Networks和SentinelOne安全进程,彻底瓦解端点防护体系。

行业启示

  • 重视供应链与第三方组件风险:攻击者正越来越多地利用知名但非核心安全厂商的驱动程序(如Kontron)进行BYOVD攻击。企业需加强对所有加载驱动程序的审计,实施严格的代码签名验证和最小权限原则,而不仅仅依赖传统的防病毒软件。
  • 重新评估远程管理工具(RMM)的安全配置:由于Ransomware团伙频繁滥用ScreenConnect、MeshAgent等合法IT工具进行隐蔽操作,组织应实施严格的网络分段,限制RMM工具的访问范围,并对异常的管理会话行为建立实时监控和告警机制。
  • 强化身份与凭证管理:针对Citrix Bleed 2和VPN凭证滥用的趋势,企业必须强制实施多因素认证(MFA),定期轮换凭据,并部署用户实体行为分析(UEBA)以识别来自非常规地理位置或IP段的异常登录活动。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全