Nefilim Gang Leveraged Citrix Gateway Exploit

Several threat actors have been targeting organizations that are not using multifactor authentication as an extra layer of security, or those that have an unpatched remote access system. Recently, Nefilim Gang was seen targeting victims by targeting known certain known vulnerabilities.

What happened

A ransomware gang has been hitting unprepared organizations with Nefilim (aka Nephilim) ransomware, a new version of the Nemty Ransomware, in a sophisticated and well-crafted campaign.
  • Recently, the ransomware campaign leveraged remote access technologies to target several organizational networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication.
  • In this campaign, attackers targeted Citrix gateway devices vulnerable to a directory traversal vulnerability (CVE-2019-19781).
  • After gaining access through the remote access system, attackers used tools such as Mimikatz, PsExec, and Cobalt Strike to elevate privileges, move laterally across a network and establish persistence on the network.
  • Previously, around one week before the Netfilim’s most recent attack, the New Zealand Computer Emergency Response Team (Cert NZ) had released an alert on a ransomware campaign.

Recent attacks by Nefilim

Nefilim is devious ransomware as the threat actors behind the attack threaten to release the victim’s stolen data on an online leak site.
  • In June 2020, the Nefilim ransomware had infiltrated and locked down the IT ecosystem of Fisher & Paykel Appliances and threatened to leak the data.
  • In May 2020, Nefilim ransomware accessed at least one specific corporate server of the Australian transport giant Toll Group and leaked the stolen data.

Its own data leak website

In March 2020, Nefilim Ransomware launched a site called "Corporate Leaks" to dump the data of victims who do not pay a ransom.

Stay safe

The threat actors behind it are not just relying on Nefilim alone, so it is recommended to stay protected from the entire category of ransomware attacks. Use security solutions to identify unusual outbound traffic patterns for hosts (host-to-external). Also, Citrix users should install security patches to mitigate exploitable flaws.