Citrix RAS credential-reuse from active infostealer corpus
Surface: ua.intranet.db.com/Citrix/RASweb (81 occurrences), sg-kch5.dbrasweb.db.com (51), sg-dsj5.dbrasweb.db.com (47), sg-kch4.dbrasweb.db.com (36) per ent_149. An adversary purchasing a fresh stealer-log subscription that intersects DB's user-set would very likely obtain immediately-usable corporate credentials. Severity SEVERE because Citrix RAS is by design a remote-access gateway with VPN-equivalent reach; HIGH confidence because the telemetry is dated to 2025-2026 capture windows and the host enumeration pattern (kch4 → kch5) suggests active provisioning rather than decommissioned infrastructure.
Mandatory MFA + password rotation on all Citrix RAS endpoints with infostealer hits
Force rotation of every credential observed in the HudsonRock corpus for ua.intranet.db.com, sg-kch4/5.dbrasweb.db.com, sg-dsj5.dbrasweb.db.com and any related Singapore/Ukraine RAS hosts. Enforce phishing-resistant MFA (FIDO2 / certificate-based) at the Citrix gateway, not just at the downstream application. Audit whether the Singapore endpoint cohort is BYOD/contractor — if so, fold those endpoints into managed-MDM scope or block their access to corporate credentials.