Anscombe Warns Of November’s Top Cyber Threats
NEW YORK – A new security report is sounding the alarm. The document, published by the cybersecurity firm Anscombe, details critical threats facing businesses, with a focus on a severe vulnerability, a novel phishing technique, and the persistent fallout from a major law enforcement action.
The Citrix Bleed Exploit
A major vulnerability is being used now. Tracked as CVE-2023-4966 and nicknamed “Citrix Bleed,” the flaw affects Citrix NetScaler ADC and Gateway appliances, which are tools thousands of organizations use for secure network access. The exploit allows an attacker to pull sensitive information, most notably session tokens, directly from a device’s memory. A stolen token is like a stolen keycard; it lets an attacker hijack an authenticated, active user’s session without needing a password or multi-factor authentication.
The report from Anscombe confirms this isn’t a theoretical problem. The notorious ransomware group LockBit 3.0 is actively exploiting CVE-2023-4966 in the wild to gain initial access to corporate networks. Victims are concentrated in high-value sectors, including legal, financial, and government services. According to the Anscombe analysis, a Fortune 500 financial company and the aerospace giant Boeing were among those impacted by exploits targeting this vulnerability.
The exploit is trivial to execute once a target is identified.
There is a fix. Citrix released a required security patch on October 10, 2023, but applying it isn’t enough. Anscombe’s guidance stresses that organizations must also terminate all active and persistent user sessions after the patch is installed. This step is critical because it invalidates any session tokens that may have already been stolen by attackers before the system was secured. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Citrix Bleed to its Known Exploited Vulnerabilities catalog, ordering federal agencies to apply the fix by November 8, 2023.
Phishing Moves To Microsoft Teams
Attackers are leveraging trust. A new phishing campaign uses Microsoft Teams, turning the popular collaboration tool into a malware delivery system. The attack is simple. Cybercriminals send malicious files through the Teams chat function, often disguising them as legitimate business documents.
These files are frequently ZIP archives. They contain a malware loader known as DarkGate. Once a user opens the file, DarkGate infects the machine and establishes a backdoor, giving the attackers persistent access. This access can then be used to deploy additional malicious payloads, including spyware, credential stealers, and ultimately, ransomware that leads to widespread data loss and encryption.
The Anscombe report notes that initial access for these attacks often comes from already compromised external accounts. Attackers also trick employees into accepting chat requests from people outside their organization. While the campaign doesn’t target one specific industry, it’s particularly effective against companies with large remote workforces who depend heavily on Teams for daily communication.
The solution is a mix of technology and training. Anscombe states that user education is “paramount” and that employees must be trained to recognize the risk of unsolicited files, even on a trusted internal platform. On the technical side, IT administrators can harden their security posture by configuring Teams to block or display prominent warnings for all communications originating from external accounts. Microsoft has published its own guidance for securing Teams environments, and Anscombe further recommends implementing policies that block the transfer of high-risk file types within the application.
Life After The Qakbot Takedown
A law enforcement victory has created a new problem. The FBI-led takedown of the Qakbot botnet in August, codenamed “Operation Duck Hunt,” was a significant disruption to the cybercrime economy. It was a massive network for hire. But the human operators behind the botnet didn’t just disappear.
Anscombe’s research shows a clear migration pattern. Former Qakbot affiliates, the criminal groups who rented access to the botnet to launch their own attacks, are now moving to other malware-as-a-service platforms. The report specifically names Pikabot and the previously mentioned DarkGate as the new tools of choice. These threat actors are continuing their campaigns without missing a beat, often using old target lists and known attack methods.
The victims remain the same. The sectors previously hammered by Qakbot, such as healthcare, manufacturing, and critical infrastructure, are still in the crosshairs. The primary attack vector continues to be phishing emails that contain malicious links or attachments designed to trick employees into granting the attackers initial access.
This shift means organizations can’t relax. The Anscombe report advises that the Qakbot takedown doesn’t eliminate the threat; it only changes its name. A strong “defense-in-depth” strategy is necessary. This includes advanced email filtering to block initial phishing attempts, endpoint detection and response (EDR) tools to spot malware that gets through, and regular security audits to find and fix weaknesses. The FBI stated its operation removed the Qakbot malware from over 700,000 victim computers around the world.
