November 17, 2023 at 06:29PM
Ransomware gangs are targeting vulnerable Citrix Netscaler devices using a publicly available exploit to breach large organizations, steal data, and encrypt files. The threat actors exploit the Citrix Bleed vulnerability (CVE-2023-4966). Many recent victims, including Toyota Financial Services, ICBC, DP World, Allen & Overy, and Boeing, were found to have utilized vulnerable Citrix Netscaler devices. The BlackCat ransomware gang filed an SEC complaint against a victim for not disclosing a cyberattack, although the rule requiring disclosure does not go into effect until December 2023. The Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022. The Lockbit ransomware attacks also exploit the Citrix Bleed vulnerability. Various other ransomware variants and attacks have been reported, including those by Medusa, GlobeImposter, 1337 Ransomware, and ALPHV/BlackCat. The evasive threat actor Scattered Spider is collaborating with the ALPHV/BlackCat ransomware operation. Toyota Financial Services detected unauthorized access after a Medusa ransomware attack. The British Library and Yamaha Motor’s Philippines subsidiary were also victims of ransomware attacks.
Key takeaways from the meeting notes:
1. Ransomware gangs are targeting exposed Citrix Netscaler devices and exploiting the Citrix Bleed vulnerability (CVE-2023-4966) to breach large organizations, steal data, and encrypt files. Recent victims of these attacks include Toyota Financial Services, Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing.
2. The BlackCat ransomware gang filed an SEC complaint against one of its victims for not disclosing a cyberattack. This is the first publicly disclosed use of the extortion strategy.
3. The Royal ransomware gang has breached networks of at least 350 organizations worldwide since September 2022. They often use the double extortion method and have launched the ‘Medusa Blog’ platform for leaking data belonging to victims.
4. Ransomware attacks decreased by 15.12% in October compared to the previous month but showed a 54.67% increase compared to October 2022. The number of ransomware victims posted on leak sites has been consistently increasing for the past ten months.
5. New ransomware variants have been discovered, including 1337 Ransomware with the .1337 extension, GlobeImposter with the .Pig865qq extension, and a variant with the .shanova extension.
6. The ALPHV/BlackCat ransomware operation filed a complaint with the U.S. Securities and Exchange Commission against one of their victims for not complying with the four-day rule to disclose a cyberattack.
7. The Toronto Public Library (TPL) suffered a ransomware attack in October, resulting in the theft of personal information belonging to employees, customers, volunteers, and donors.
8. The Rhysida ransomware gang has been conducting opportunistic attacks across multiple industry sectors.
9. The Scattered Spider hacking collective is collaborating with the ALPHV/BlackCat Russian ransomware operation.
10. Toyota Financial Services detected unauthorized access on some of its systems in Europe and Africa after an attack by Medusa ransomware.
11. The British Library experienced a major outage caused by a ransomware attack.
12. Yamaha Motor’s Philippines subsidiary experienced a ransomware attack resulting in the theft and leak of employees’ personal information.
These are the key highlights from the meeting notes.