Discover more from ESSGroup
Subscribe to get the latest posts sent to your email.
Threat Overview
Exploit attempts inspired by recent Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-50164) – SANS Internet Storm Center
A recent threat report published by CyberHunter_NL on 2024-12-16T15:05:11.149Z highlights the exploitation of a vulnerability in Apache Struts2 by hackers who are attempting to enumerate systems that are vulnerable to this vulnerability. The vulnerability, identified as CVE-2024-53677 and CVE-2023-50164, is being targeted by malicious actors who are using various tactics, including:
Spear-phishing to gain initial access
Enumerating systems that are vulnerable to the Struts2 vulnerability
The attackers use these tactics to enumerate systems that are vulnerable to the vulnerability. However, this vulnerability has been patched in recent updates.
Although the Struts2 vulnerability has patches available, many organizations may not be aware that they still need to apply these fixes. This is due to a delay between the discovery of the vulnerability and the release of security patches.
Therefore, it is essential for organizations to stay informed about recently discovered vulnerabilities and prioritize applying timely updates to prevent exploitation by exploiting zero-day vulnerabilities.
Some recommendations for improving cybersecurity posture include:
Additionally, having a plan in place for responding to potential cyber threats is essential. Organizations should establish protocols for detecting and responding to cyber threats, including the use of threat intelligence services.
Subscribe to get the latest posts sent to your email.
Lorem Ipsum is simply dummy text of the printing and typesetting
industry. Lorem Ipsum has been the industry's
Beware of Fake Outlook Troubleshooting Calls that Ends Up In Ransomware Deploymenthttps://otx.alienvault.com/pulse/67b34483b2107cdb9ba844d9 Please check the following page for additional information:
Beware of Fake Outlook Troubleshooting Calls that Ends Up In Ransomware Deployment
Threat Report Overview
The Security Operations Center (SOC) has recently identified a new and rapidly evolving threat known as VanHelsing, a Ransomware-as-a-Service (RaaS) program. Published by AlienVault on March 23, 2025, this report highlights the emergence of VanHelsing RaaS, which launched on March 7, 2025. This threat has quickly garnered attention in the cybercrime landscape due to its aggressive tactics and wide-ranging targets.
Threat Details
VanHelsing RaaS is notable for its low entry barrier, requiring only a $5,000 deposit for affiliates. In return, it offers an 80% cut of ransom payments, making it an attractive option for cybercriminals. The service features a user-friendly control panel and supports multiple platforms, including Windows, Linux, BSD, ARM, and ESXi systems. This versatility allows VanHelsing to infect a broad spectrum of devices and networks.
Within just two weeks of its launch, VanHelsing successfully infected three victims, demanding substantial ransoms. The ransomware is written in C++ and has already shown signs of rapid evolution, with two distinct variants discovered within five days of each other. These variants employ various evasion techniques to avoid detection, including a ‘Silent’ mode that minimizes the ransomware’s footprint and selective encryption of files to expedite the infection process.
Technical Analysis
The technical sophistication of VanHelsing is evident in its design and functionality. The ransomware uses advanced encryption algorithms to lock down victim data, making it nearly impossible to recover without the decryption key. Its ability to target multiple operating systems and architectures further amplifies its threat potential.
One of the standout features of VanHelsing is its ‘Silent’ mode, which allows the malware to operate covertly within a network. This mode minimizes the ransomware’s visibility to traditional security tools, making it harder to detect and mitigate. Additionally, VanHelsing employs selective encryption, focusing on critical files that are essential for business operations. This targeted approach increases the likelihood of victims paying the ransom to restore their data.
Impact Assessment
The rapid growth and sophistication of VanHelsing RaaS underscore the increasing threat posed by ransomware attacks. Organizations across various sectors are at risk, particularly those with diverse IT infrastructures that include multiple operating systems and platforms.
The financial implications of a VanHelsing attack can be severe, with potential losses including ransom payments, downtime costs, and reputational damage. Moreover, the disruption to business operations can have long-term effects on an organization’s ability to serve its customers and maintain operational continuity.
Recommendations for Mitigation
In light of the emerging threat posed by VanHelsing RaaS, the SOC recommends the following measures to enhance cybersecurity posture:
Conclusion
The emergence of VanHelsing RaaS represents a significant escalation in the threat landscape, necessitating proactive measures from organizations to protect against ransomware attacks. By staying informed about the latest threats and implementing robust security practices, organizations can better safeguard their assets and maintain operational resilience.
For more detailed information on VanHelsing RaaS, refer to the following external references:
In January 2025, the eSentire Threat Response Unit (TRU) identified a sophisticated cyber espionage campaign orchestrated by the EarthKapre/RedCurl Advanced Persistent Threat (APT) group. This report delves into the intricate stages and techniques employed by this highly advanced threat actor, providing a comprehensive analysis of their tactics, techniques, and procedures (TTPs).
EarthKapre, also known as RedCurl, is renowned for its sophisticated operations primarily targeting private-sector organizations with a focus on corporate espionage. The group’s latest attack targeted an organization within the Law Firms & Legal Services industry, highlighting their strategic selection of high-value targets.
The attack vector involved the use of a legitimate Adobe executable (ADNotificationManager.exe) to sideload the EarthKapre/RedCurl loader. This method demonstrates the group’s ability to leverage trusted software to bypass security measures and gain initial access to the target network. The sideloading technique is particularly insidious because it exploits the trust users have in legitimate applications, making detection and prevention more challenging.
The EarthKapre/RedCurl APT group employs a multi-stage attack process that includes several sophisticated techniques:
Lateral Movement: After gaining a foothold, the attackers move laterally within the network to identify high-value targets and sensitive data. They use various techniques such as pass-the-hash, pass-the-ticket, and remote desktop protocols (RDP) to navigate through the network undetected.
Data Exfiltration: The final stage involves exfiltrating the stolen data to a command-and-control server controlled by the attackers. This data is then analyzed for valuable information that can be used for corporate espionage or other malicious activities.
The EarthKapre/RedCurl APT group’s tactics highlight the need for robust cybersecurity measures. Organizations must implement comprehensive security strategies to protect against such advanced threats. Here are some recommendations:
Employee Training: Provide ongoing training to employees on recognizing phishing attempts and other social engineering tactics. Human error is often the weakest link in cybersecurity, so educating staff can significantly reduce the risk of successful attacks.
Advanced Threat Detection: Deploy advanced threat detection tools that use machine learning and artificial intelligence to identify anomalous behavior indicative of an APT attack.
Network Segmentation: Implement network segmentation to limit lateral movement within the network. By isolating critical systems, organizations can contain potential breaches and prevent attackers from accessing sensitive data.
Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and effective response in case of a security breach. This includes having a dedicated team ready to handle incidents and minimize damage.
Regular Software Updates: Ensure that all software, including legitimate applications like Adobe executables, are kept up-to-date with the latest security patches. This reduces the risk of exploitation through known vulnerabilities.
Multi-Factor Authentication (MFA): Implement MFA for all critical systems and user accounts to add an extra layer of security. Even if credentials are compromised, MFA can prevent unauthorized access.
The EarthKapre/RedCurl APT group’s attack on a Law Firms & Legal Services organization underscores the importance of vigilance in cybersecurity. By understanding their TTPs and implementing robust security measures, organizations can better protect themselves against such sophisticated threats. For more detailed information, please refer to the external references provided:
https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt
https://otx.alienvault.com/pulse/67b33e146f62a1c90b35ee00
This report provides a comprehensive overview of the EarthKapre/RedCurl APT group’s activities and offers actionable recommendations for enhancing cybersecurity defenses. By staying informed and proactive, organizations can mitigate the risks posed by advanced threat actors like EarthKapre/RedCurl.
Subscribe now to keep reading and get access to the full archive.