At a glance.
- PoC exploits released for CitrixBleed 2.
- Suspected Chinese government hacker arrested in Italy.
- New ransomware gang surfaces.
PoC exploits released for CitrixBleed 2.
Researchers at watchTowr and Horizon3 have published proof-of-concept exploits for CVE-2025-5777, a critical flaw affecting Citrix NetScaler ADC and Gateway devices, BleepingComputer reports. The vulnerability is being referred to as "CitrixBleed 2" due to its similarity to 2023's CitrixBleed flaw (CVE-2023-4966), though Citrix stresses that the two flaws are unrelated.
An attacker can exploit the vulnerability by sending incorrect login requests, causing the NetScaler appliance to display 127 bytes of arbitrary memory. By sending repeated HTTP requests, the attacker can eventually extract legitimate user session tokens.
Citrix maintains that there's no evidence of exploitation in the wild, but security researchers are disputing this claim. Users are urged to patch the flaw as soon as possible.
Suspected Chinese government hacker arrested in Italy.
Italian police arrested a 33-year-old Chinese national on a US warrant accusing the man of conducting industrial espionage on behalf of the Chinese government, Reuters reports. The suspect, Xu Zewei, was arrested at Milan's Malpensa Airport on July 3rd and is awaiting extradition to the United States. The US alleges that Xu is tied to the PRC-affiliated threat actor Silk Typhoon (also known as "Hafnium"), which targets a wide range of sectors around the world. The group made headlines in 2020 for its focus on entities conducting COVID-19-related research. More recently, the threat actor breached the US Treasury Department's Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS).
New ransomware gang surfaces.
Trend Micro warns that a new ransomware group dubbed "BERT" is targeting entities in Asia, Europe, and the US, with a focus on the healthcare, technology, and event services sectors. The gang's ransomware targets both Windows and Linux systems. The researchers note, "Further investigation suggests that the group may have derived from the Linux variant of REvil, originally identified in early 2021 and known for targeting ESXi servers and Linux. Another report confirms the overlap between the leaked Babuk source code and the ESXi lockers attributed to Conti and REvil. Although the REvil group was dismantled in 2022, it is likely that the group reused code from the REvil Linux variant."
