Discover more from ESSGroup
Subscribe to get the latest posts sent to your email.
Threat Overview
A recently published threat report by AlienVault, titled “Threat Brief: CVE-2025-0282 and CVE-2025-0283”, highlights critical vulnerabilities in Ivanti Connect Secure, Policy Secure, and ZTA gateway products that are being actively exploited.
Vulnerabilities
The report details two high-severity vulnerabilities:
* CVE-2025-0282: Allows for remote code execution (RCE) on the targeted systems.
* CVE-2025-0283: Enables privilege escalation, granting attackers elevated access.
Attack Activity Observed
Attacks exploiting CVE-2025-0282 have been observed in the wild, involving a series of malicious activities:
* Initial access to target systems.
* Credential harvesting to maintain persistence.
* Lateral movement within compromised networks.
* Defense evasion techniques employed to avoid detection.
Custom Tools Used
Attackers have been observed using custom tools such as SPAWNMOLE, SPAWNSNAIL, and SPAWNSLOTH during these attacks.
Activity Cluster Identification
The activity cluster CL-UNK-0979 has been identified in relation to these incidents, potentially linking them to UNC5337 threat actor group.
Recommendations
Given the critical nature of these vulnerabilities and the observed attacks, the following actions are strongly recommended:
* Immediate Patching: Apply the available patches for Ivanti products to fix CVE-2025-0282 and CVE-2025-0283.
* Network Monitoring: Actively monitor network traffic for unusual activities related to these vulnerabilities.
Protective Measures
Users of Palo Alto Networks products can enable the following protections:
* WildFire: Provides effective sandbox analysis to detect and block malicious files.
* Threat Prevention: Offers URL filtering and other protective measures against known threats.
References
For more detailed information on this threat, please refer to the original reports:
* Palo Alto Unit 42 threat brief: https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/
Subscribe to get the latest posts sent to your email.
Lorem Ipsum is simply dummy text of the printing and typesetting
industry. Lorem Ipsum has been the industry's
Threat Overview
AlienVault’s report on ‘Astral Stealer’ presents a detailed analysis of a powerful, multi-lingual malware tool designed for data theft and crypto wallet exploitation. Astral Stealer v1.8, coded in Python, C#, and JavaScript, targets gaming accounts, browser credentials, and cryptocurrency wallets with advanced features like viewing backup codes and an anti-delete system.
Key Capabilities
– Fake error generation
– Background operation
– Startup persistence
– Anti-VM measures
– Browser extension injection
– Discord injection
– Process termination
– Cryptocurrency wallet data extraction
– Bypassing security tools
– Disabling Windows Defender
– Exfiltrating data via webhooks
Threat Landscape
Astral Stealer’s public availability on GitHub and continuous development by multiple contributors pose significant threats to individuals and organizations. Its advanced features and customizable builder make it highly effective and accessible to potential attackers.
External References
– https://www.cyfirma.com/research/astral-stealer-analysis/
– https://otx.alienvault.com/pulse/679d2269efde9e38e2246472
Recommendations
Confidence Level: 100
Reliability of the Report: A – Completely reliable
Revoke Status: false
Number of Connected Elements Present in the Report: 90
Threat Overview
Kaspersky’s Vulnerability Landscape Analysis for Q4 2024 has been published by CyberHunter_NL, highlighting the most common software vulnerabilities and their exploitation methods. The report is compiled by Alexander Kolesnikov from the University of California, Los Angeles.
Key Findings
Recommendations
References
Confidence Level: 100
Reliability of the Report: A – Completely reliable
Revoke Status: false
Number of Connected Elements Present in the Report: 257
In early February 2025, the eSentire Threat Response Unit detected a sophisticated phishing attack associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication (MFA). This threat report delves into the details of this attack, its implications, and provides recommendations for mitigating such threats.
The attack began with a spam email containing a link to a phishing PDF hosted on OneDrive. Unsuspecting users who clicked the link were redirected to a fake Office 365 login page. This phishing page was protected by Cloudflare Turnstile, a service designed to prevent automated scanners from accessing it, adding an extra layer of deception.
Sneaky2FA is particularly dangerous because it captures not only user credentials but also 2FA codes. By doing so, the attackers gain session cookies that allow them to access accounts without triggering any MFA prompts. This method effectively bypasses the security measures put in place by multi-factor authentication systems.
The phishing operators were observed using stolen cookies to add additional MFA methods to compromised accounts. This tactic allows them to maintain persistent access even if the initial credentials are changed. The use of VPN and proxy services further obscures their activities, making it difficult for security teams to trace the origin of the attacks.
The sophistication of Sneaky2FA enables a range of damaging follow-on activities. Once inside an organization’s network, attackers can exfiltrate sensitive emails, launch spam campaigns, and conduct Business Email Compromise (BEC) attacks. These activities can lead to significant financial losses and reputational damage for the targeted organizations.
To mitigate the risks posed by Sneaky2FA and similar threats, organizations should implement a multi-layered security approach. Here are some recommendations:
Incident Response Plan: Develop and regularly update an incident response plan to quickly detect, respond to, and mitigate the impact of phishing attacks. Ensure that all employees are aware of their roles and responsibilities during a security incident.
Regular Audits: Conduct regular security audits to identify vulnerabilities in your systems and processes. Address any identified weaknesses promptly to minimize the risk of successful attacks.
Third-Party Risk Management: Evaluate the security practices of third-party vendors and service providers. Ensure that they adhere to stringent security standards and regularly review their compliance with these standards.
The detection of Sneaky2FA highlights the evolving nature of cyber threats and the need for organizations to stay vigilant. By implementing robust security measures and fostering a culture of cybersecurity awareness, organizations can better protect themselves against sophisticated phishing attacks and other malicious activities.
For additional information on this threat report, please refer to the following external references:
This report underscores the importance of staying informed about emerging threats and taking proactive steps to enhance cybersecurity defenses. By understanding the tactics used by attackers like Sneaky2FA, organizations can better prepare themselves to defend against similar threats in the future.
Subscribe now to keep reading and get access to the full archive.