The Royal ransomware group is believed to be actively exploiting a critical security flaw affecting Citrix systems, according to the cyber research team at cyber insurance provider At-Bay. Announced by Citrix on November 8, 2022, the vulnerability, identified as CVE-2022-27510, allows for the potential bypass of authentication measures on two Citrix products: the Application Delivery Controller (ADC) and Gateway.There were no known instances of the vulnerability being exploited in the wild at the time of disclosure. However, as of the first week of 2023, At-Bay\u2019s cyber researchers claimed new information suggests the Royal ransomware group is now actively exploiting it. Royal, which is considered one of the more sophisticated ransomware groups, emerged in January 2022 and was particularly active in the second half of last year.How the Royal ransomware group exploits CVE-2022-27510As soon as the Citrix vulnerability was published, the At-Bay cyber research team began assessing the magnitude of the risk and identifying businesses that might be exposed, wrote Adi Dror, At-Bay cyber researcher, in a report. \u201cData from our scans, information gleaned from claims data, and other intelligence gathered by our cyber research team point to the Citrix vulnerability CVE-2022-27510 as the initial point of access utilized by the Royal ransomware group to launch a recent ransomware attack,\u201d she added.The suspected exploitation method of the Citrix vulnerability by the Royal ransomware group is in line with the exploitation of similar vulnerabilities seen in the past, Dror continued. It appears Royal is exploiting this authentication bypass vulnerability in Citrix products to gain unauthorized access to devices with Citrix ADC or Citrix Gateway and launch ransomware attacks. \u201cExploiting vulnerabilities in servers is one of the most common attack vectors for ransomware groups \u2013 especially critical infrastructure servers like those provided by Citrix. However, what sets this instance apart is that the ransomware group is using the Citrix vulnerability before there is a public exploit.\u201dThe following versions of the Citrix ADC and Citrix Gateway are affected by CVE-2022-27510, according to Dror:ProductAffected VersionsFixed VersionsCitrix ADC and Citrix Gateway 13.1Before 13.1-33.47\u202f13.1-33.47 and laterCitrix ADC and Citrix Gateway\u202f13.0Before 13.0-88.1213.0-88.12\u202fand laterCitrix ADC and\u202fCitrix\u202fGateway\u202f12.1\u202fBefore 12.1-65.21\u00a0\u00a0\u00a0\u00a0\u00a0\u00a012.1-65.21 and laterCitrix ADC 12.1-FIPSBefore 12.1-55.28912.1-55.289 and laterBusinesses using any of the affected Citrix products are urged to patch the vulnerable software and follow the mitigation methods recommended by Citrix. \u201cEven for clients who have not received a Security Alert, it\u2019s important for them to check if they\u2019re running vulnerable products and patch immediately,\u201d Dror stated.Royal ransomware group an active, evasive threat to businessesThe Royal group significantly ramped up its operations in the closing months of 2022 and developed its own custom ransomware program that allows attackers to perform flexible and fast file encryption. \u201cIts ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe,\u201d researchers from security firm Cybereason said in a recent report.The group\u2019s tactics bear similarities to those of Conti, prompting suspicion that it\u2019s partly made up of former members of the infamous group that shut down in May 2022. The Royal group is known to use phishing as an initial attack vector, as well as third-party loaders such as BATLOADER and Qbot for distribution. Initial access is typically followed by the deployment of a Cobalt Strike implant for persistence and to move laterally inside the environment in preparation for dropping the ransomware payload. The tactics used by Royal allow for the group to evade detection with partial encryption.