Threat actors from ransomware group Royal are suspected to have exploited a critical vulnerability in two Citrix products in order to launch an attack against a small business in the U.S., according to researchers from At-Bay.
The vulnerability, listed as CVE-2022-27510, allows an attacker to bypass authentication measures in the technology company’s Application Delivery Controller and Gateway products.
This appears to be the first known exploit of this particular Citrix vulnerability, which the company first disclosed in November.
Ransomware group Royal originally emerged in January 2022 and became one of the most prolific ransomware actors of the year. By November, Royal took over as the world’s most active threat group, knocking LockBit out of the top spot, according to research from NCC Group.
Research from Avertium shows Royal is an experienced group that typically targets organizations in the U.S., using either malicious attachments or malicious advertisements to deliver malware.
The group has used malicious Google ads to deliver BatLoader malware. Unlike some other groups, Royal does not operate as a ransomware-as-a-service provider, so there are no affiliates.
The group initially used an encryptor from the group BlackCat, but transitioned to using their own Zeon encryptor and left ransomware notes that are considered similar to notes left by Conti, according to Avertium.
The group claimed credit for an attack on U.K. racing venue Silverstone Circuit in November.
A spokesperson for Citrix was not immediately available.