CitrixBleed2 and Cisco Criticals, Action on and by Crooks, Cost of Cyberattacks
Hello! ArvinF is your editor of the F5 SIRT This Week in Security, covering 22 to 28 June 2025. It happens this week's edition has lots of Cs in them - CitrixBleed2 and Cisco Criticals, Action on and by Crooks and the Cost of Cyberattacks. Let's get to it.
CitrixBleed2, a high severity cve and plus one more Critical on Citrix
Citrix and their customers were very likely busy the past week patching and resetting VDI sessions to remediate 3 CVEs, two were Critical and one High severity.
CVE-2025-5349 Improper access control on the NetScaler Management Interface - High
CVE-2025-5777 Insufficient input validation leading to memory overread - Critical
CVE-2025-6543 Memory overflow vulnerability leading to unintended control flow and Denial of Service - Critical
CVE-2025-5777, dubbed CitrixBleed2, described as an "out-of-bounds read flaw" "can be exploited remotely and without any authentication, is due to insufficient input validation. It could allow an attacker to read session tokens or other sensitive information in memory from NetScaler devices that are configured as a Gateway (such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.". Documented along with CVE-2025-5349 in the same advisory, Citrix customers should reset VDI connections/sessions.
kill icaconnection -all
kill pcoipConnection -all
The other Critical, CVE-2025-6543, a potential RCE based more than a DoS, based on reports, was exploited in the wild as a Zero Day.
Citrix published a blog "NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777" and noted the following:
"Some commentators have drawn comparisons between CVE 2025-5777 and CVE 2023-4966. While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related. "
Nonetheless, Citrix customers should follow the advisories and upgrade to a fix version and ensure to reset VDI connections/sessions.
CISAs Known Exploited Vulnerabilities Catalog now lists Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability CVE-2025-6543 - all the more reason to patch/upgrade and secure Citrix installations.
Don't panic, but it's only a matter of time before critical 'CitrixBleed 2' is under attack
https://www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/
Citrix bleeds again: This time a zero-day exploited - patch now
https://www.theregister.com/2025/06/25/citrix_netscaler_critical_bug_exploited/
NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777
Known Exploited Vulnerabilities Catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Cisco got Criticals too.. two of them on Identity Services Engine API
Cisco ISE API has a pair of CVSS Score 10 CVEs with no workarounds.
CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability, gaining root access thru unauthenticated crafted API
CVE-2025-20282: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability, unauthenticated file upload leading to code execution
Affected installations should be upgraded as appropriate.
There are some valid use case of exposing this ISE API to the internet - a quick search notes "Cloud-based Guest Access", "Integration with External Systems" and "Remote Administration".
Fronting a vulnerable API with a "Web Application and API Protection" product, such as in F5 Application Delivery and Security Platform could help and provide mitigation. As there are potential of undiscovered vulnerabilities in APIs (and software in general), having the protection in place could prevent or slow down the exploitation attempt.
Cisco fixes two critical make-me-root bugs on Identity Services Engine components
https://www.theregister.com/2025/06/26/patch_up_cisco_fixes_two/
https://www.f5.com/solutions/web-app-and-api-protection
Crooks in Action: Educated Manticore Targeted Phishing
Iranian APT group Educated Manticore ( activities similar to APT42, Charming Kitten, or Mint Sandstorm ) phishing campaign targeted cyber security experts, computer science professors and journalists.
This APT group sends phishing messages through WhatsApp or email. They pretend to be cyber security researchers and get victims to go to a Google Authentication custom phishing site. This site lets MFA relay attacks happen and also has a passive keylogger to record keystrokes from the victim. Another method used by the APT is using a fake Google Meet invite.
Checkpoint's research noted IoCs such as IP addresses and domains used in the phishing campaign.
That WhatsApp from an Israeli infosec expert could be an Iranian phish
https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/
https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/
Unmaintained gov't or corporate site? Hijack and sneak in AI slop and unrelated Ads
A government website used to campaign against "end to end encryption" was hijacked and a section of the site was modified to advertise on loans.
"end to end encryption" (E2EE) is a very important topic as messaging apps implement it "jumbles" the exchanged messages to prevent snooping, however, this could also help abusers to hide their communication from being audited, and may hinder law enforcement investigation. E2EE can also introduce vulnerabilities for users.
However, E2EE is not the specific concern, rather, the hijacking of the site to include these loan advertisements. The site was created by a 3rd party advertising firm and as the campaign has ended, the site is abandoned, unmaintained and hijacked. The publicly funded campaign site reportedly was budgeted with 534K.
There were other instances of corporate and government sites and pages that were also observed to have been hijacked and hosting AI slop.
"AI slop" refers to low-quality, often misleading or inaccurate content generated by artificial intelligence, particularly large language models (LLMs). It's characterized by its tendency to replicate human speech realistically but without regard for truthfulness or accuracy. This can manifest as poorly written articles, fake images, or inaccurate information, often designed to optimize for search engines or engage users without genuine value.
UK govt dept website that campaigns against encryption hijacked to advertise ... payday loans
https://www.theregister.com/2025/06/25/home_office_antiencryption_campaign_website/
https://heatherburns.tech/2025/06/24/somehow-that-home-office-campaign-got-even-worse/#
Action on Crooks: Four REvil ransomware crooks walk free, some, face penal colony
This one is a 50-50, 4 of the 8 arrested REvil ransomware group walk away as they were sentenced approximately 3 years after their arrest, pled guilty and already served time in detention in Russian "general regime penal colony".
The sentence was for the crime "illegal circulation of funds by an organized group and creation and use of malicious computer programs". Two of the four REvil convicts were only charged with carding offenses.
"The term "carding" refers to the illegal use and trafficking of payment card details. Although REvil was primarily known for ransomware attacks, some of its members also moonlighted in the financial fraud space too."
The court ordered one of the prisoners to give up two 2020 BMWs. The court will also take a 2019 Mercedes C 200 from another prisoner. The same can't be said for the other four suspected REvil members, though, who were each sentenced in October 2024 to various stints in a general regime penal colony ranging from 4.5 to six years. Following an appeal in March, their sentence was upheld, perhaps due to their refusal to enter into a guilty plea.
REvil's ransomware exploits were among the most high-profile in history, and it was arguably the first truly "big" ransomware-as-a-service group.
Russian lawmakers say that he ran REvil from 2015 to 2022. During that time, the group attacked US nuclear weapons contractors, fashion houses, and perhaps most famously, IT service provider Kaseya.
Although only eight arrests were mentioned as part of the trial, a total of 14 people with alleged ties to REvil were arrested on that day in January 2022.
Four REvil ransomware crooks walk free, escape gulag fate, after admitting guilt
https://www.theregister.com/2025/06/24/four_revil_ransomware_suspects_time_served/
IntelBroker caught due to bitcoin wallet record and linked accounts
Kai West, a 25-year-old British national, has been identified as the infamous hacker "IntelBroker," according to newly unsealed court documents. IntelBroker is said to have accessed the computers of over 40 victims around the world. These victims include well-known companies like Apple, AMD, Europol, Nokia, and the US Army. IntelBroker is said to have caused damages that are more than $25 million. After stealing sensitive data, IntelBroker and his associates reportedly sold it on BreachForums, a notorious cybercrime marketplace where West was also an administrator.
West was implicated when FBI agents traced a bitcoin wallet used in the sale of stolen data back to him. The wallet was linked to a Ramp account registered with West’s UK driver’s license, which was also tied to a Coinbase account under his alias "Kyle Northern." Both accounts reportedly used West's personal email address, solidifying the FBI's case against him.
In related developments, police in Paris have arrested four other BreachForums administrators using the aliases Hollow, Noct, Depressed, and ShinyHunters. The US is now seeking West's extradition to face charges, two of which carry a maximum sentence of 20 years each. This case underscores how law enforcement leverages cryptocurrency transaction records and other digital breadcrumbs to apprehend cybercriminals.
FBI used bitcoin wallet records to peg notorious IntelBroker as UK national
https://www.theregister.com/2025/06/26/fbi_used_bitcoin_wallet_id_intelbroker/
https://regmedia.co.uk/2025/06/26/us_kai_west_complaint.pdf
Britain's Cyber Monitoring Centre (CMC) on cost of recent UK cyberattacks - £270-440 million
The UK's Cyber Monitoring Centre (CMC) estimates that recent cyberattacks crippling major UK retail chains like Marks & Spencer (M&S), the Co-op, and Harrods could cost between £270-440 million ($362-591 million). These attacks, categorized as a "level 2 systemic event" by the CMC, represent a significant impact on both retailers and affected communities. CMC's Cyber Monitoring Matrix ranks cyber incidents on a 0-5 scale based on financial and societal impact.
Marks & Spencer suffered substantial losses, with online sales disrupted until July and partially restored afterward. Daily losses from unfulfilled orders were estimated at £1.3 million ($1.74 million). Co-op, while impacted less in terms of financial losses—daily spending dropped by 11% in the first 30 days—had a different kind of impact. The retailer is a crucial provider for remote areas like the Scottish Highlands and surrounding islands, heightening the societal consequences of the cyberattack.
Luxury retailer Harrods was also attacked but experienced minimal operational disruption, as both its flagship store and online sales remained active, though detailed data on its attack was limited and excluded from CMC’s analysis.
The CMC’s evaluations highlight the critical costs of lost sales, IT restoration, legal fees, and incident response for businesses targeted in cyberattacks. This underscores the importance of cybersecurity preparedness, particularly for organizations core to community supply chains, such as Co-op. The events serve as a stark reminder of the economic and social vulnerabilities posed by increasingly sophisticated cyber threats.
Experts count staggering costs incurred by UK retail amid cyber attack hell
https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
https://www.theregister.com/2025/02/07/uk_cyber_monitoring_centre/
That's it for now
This week, we have news on the APT group phishing campaign and targeting cyber security experts. Phishing has become more sophisticated and is getting harder to distinguish. I'll recommend going back to basics, if the emails or messages you receive seem “off” or unusual, be skeptical and don't simply trust the sender. Verify the sender of the message if they are really who they claim to be, though, this is easier said than done. APTs and Malware ransomware groups usually use the same techniques, and spear phishing is at the top of the list of techniques they use. If unsure, do not engage. Follow your organization’s IT Security Policies on suspected phishing attempts. Critical vulnerabilities should be addressed immediately, especially if a fix is available. The effects of cybersecurity attacks on organizations financially are no small matter. For their customers, it could be an erosion of trust and potential exposure of personal information. As defenders, we should implement protections to prevent web-based vulnerabilities - use WAFs, API protections such as BIG-IP ASM/Adv WAF, NGINX App protect and F5 Application Delivery and Security Platform security policies and DoS and Bot Defense features to add layers of defense and mitigations. Having a F5 BIG-IP in the environment opens opportunities to apply protections to applications. Secured sunsetting and decommissioning of web sites used in limited campaigns that are already over should be a process that organizations and governments should follow to prevent leaving unnecessary access or dangling configurations or DNS records open for abuse.
I hope the news I picked is informative and educational. Till next time - Stay Safe and Secure!
As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT.
