Ivanti exploitation campaign detailed - and mitigated

CISA and the FBI shed light on the method used by Chinese actors to compromise multiple organizations through the exploitation of Ivanti vulnerabilities (CVE-2024-8963, CVE-2024-9379/80, CVE-2024-8190). The report details two distinct exploit chains combining the flaws together while targeting an end-of-life Ivanti CSA version. At least three victims successfully mitigated the attack: in the first case, a system admin detected the creation of suspicious user accounts; in the second, an Endpoint Protection Platform (EPP) alerted about the execution of a script used to create webshells; and in the third, malicious activity related to log creation was detected through IOCs. The threat group behind the attacks is apparently UNC5221, which has also been responsible for the wide scale exploitation campaign of Ivanti zero-days in January 2024.

‍

[mitigate]In Ivanti CSA, ensure dual-homed CSA configurations with eth0 as an internal network; Make sure to block the list of IOCs published by CISA. [/mitigate]

Andariel uses PE vulnerability for a RID Hijacking campaign

The North Korean state actor Andariel (aka APT45)  conducted a RID Hijacking campaign against Windows environments. The group first exploited a vulnerability to elevate privileges to SYSTEM in a compromised low-privilege account. It then modified Window’s Relative Identifier (RID) to “administrators”, forcing Windows to consider the compromised accounts as admin.  

‍

A sophisticated group exploits zero-days in enterprise software  

Miyako has put on sale access to servers hosting firewalls in American organizations, including a logistics company, an ISP and a real estate firm. Miyako is a recently established sophisticated threat actor, apparently originating from East Asia and targeting mostly government and critical infrastructures. It is especially skilled in exploiting zero-days in firewalls and enterprise applications, together with flaws in GitLab (CVE-2024-45409).

‍

‍

[mitigate]Disable the SAML two-factor bypass option within GitLab[/mitigate]

How many SonicWall instances are actually exposed to a new vuln ?

Microsoft has notified SonicWall that a vulnerability in its Secure Mobile Access (SMA) 1000 products (CVE-2025-23006) has been exploited in the wild. The flaw, which also impacts  management consoles, might result in operating system command executions under certain conditions. Between 2K and 4K instances are apparently open to the Internet, but it seems that only 215 actually include a vulnerable exposed management interface.

‍

‍

Limit access to administrative consoles (default TCP port 8443) to trusted internal networks

A remote access platform for technicians exploited

Threat actors are exploiting three vulnerabilities in SimpleHelp (CVE-2024-57726/7/8) for initial access. The flaw allows to steal sensitive data (credentials, logs and configuration files), to log in as administrators and consequently to execute arbitrary code. SimpleHelp is a remote access platform used for technical support.

‍

Zyxel devices targeted by threat actors

A critical command injection vulnerability in Zyxel CPE devices (CVE-2024-40891) is exploited in the wild. While reported in June 2024,it has not been publicly disclosed or patched. It is similar to a previous flaw (CVE-2024-40890) but is HTTP-based while the former was Telnet-based. Exploitation might lead to “complete system compromise, data exfiltration, or network infiltration".

‍

Veeam targeted again

Two flaws in the Service Provider Console (VSPC) of the data backup software Veeam (CVE-2024-42448/9) are currently under exploitation by a ransomware operation. While the first allows for RCE, the second enables NTLM hash leaks and file deletion.

[mitigate]Detect vulnerable assets with Qualys QID 382506 and vulnerable web applications with QIDs 152482/3[/mitigate]

FunkSec - a new unsophisticated but hyperactive actor

‍

A new Ransomware-as-a-Service group named FunkSec, that emerged in October 2024 and is connected to Algerian hackers, is claiming a list of 129 victims - to become the most prolific ransomware group currently operating. FunkSec uses a Rust-based double encryption ransomware tool and a DDOS tool, both built with the extensive help of AI models. The group also uploaded some of its malware code to Virus Total, to show off about low detection rates from most anti-viruses. It untypically asks for low ransom fees and operates for both financial and ideological reasons, with an anti-Israel and anti-Iran agenda. Its initial access methods are so far unclear.

‍

‍

Iranian actors are using Gemini for vulnerability exploration

A Google report claims that APT actors are growingly using Gemini in several phases of the attack cycle, including for vulnerability exploration. In particular, Iranian actors were the most active on weaponizing Gemini for cyberattacks, whether for investigating potential targets or for vulnerability research. While using Gemini, the Iranian hackers mostly looked for specific publicly disclosed vulnerabilities, such as in the WRM protocol, in Atlassian products or in IoT devices.  

‍

186 new KEV-listed flaws in 2024

A new report shows that 186 flaws were added in 2024 to the Known Exploited Vulnerability (KEV) list, a number similar to 2023’s. Among them, 122 were new flaws with a CVE-2024 identifier. Furthermore, Microsoft represents almost 20% of 2024’s additions, followed by Ivanti, Google and Adobe. Within the new entries, command injection, privilege escalation and authentication bypass were the most common categories. In total, the KEV list includes now 1,251 vulnerabilities.

‍

‍

Trump dismissed the Cyber Safety Review Board

On his first day in office, the US president Trump dismissed all the advisory committees, including the Cyber Safety Review Board (CSRB). The CSRB is a non-partisan committee, composed of 15 cybersecurity experts and industry leaders, which is currently investigating the Chinese Salt Typhoon’s campaign against large American Telecommunication companies. Raised in 2022, it has in the past published reports about the Log4Shell vulnerability, the cybercrime gang LAPSUS$, and the 2023 Chinese intrusion in the State Department through Microsoft Exchange Online.

‍