Discover more from ESSGroup
Subscribe to get the latest posts sent to your email.
Threat Overview
Exploit attempts inspired by recent Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-50164) – SANS Internet Storm Center
A recent threat report published by CyberHunter_NL on 2024-12-16T15:05:11.149Z highlights the exploitation of a vulnerability in Apache Struts2 by hackers who are attempting to enumerate systems that are vulnerable to this vulnerability. The vulnerability, identified as CVE-2024-53677 and CVE-2023-50164, is being targeted by malicious actors who are using various tactics, including:
Spear-phishing to gain initial access
Enumerating systems that are vulnerable to the Struts2 vulnerability
The attackers use these tactics to enumerate systems that are vulnerable to the vulnerability. However, this vulnerability has been patched in recent updates.
Although the Struts2 vulnerability has patches available, many organizations may not be aware that they still need to apply these fixes. This is due to a delay between the discovery of the vulnerability and the release of security patches.
Therefore, it is essential for organizations to stay informed about recently discovered vulnerabilities and prioritize applying timely updates to prevent exploitation by exploiting zero-day vulnerabilities.
Some recommendations for improving cybersecurity posture include:
Additionally, having a plan in place for responding to potential cyber threats is essential. Organizations should establish protocols for detecting and responding to cyber threats, including the use of threat intelligence services.
Subscribe to get the latest posts sent to your email.
Lorem Ipsum is simply dummy text of the printing and typesetting
industry. Lorem Ipsum has been the industry's
Regular Software Updates: Ensure that all software and systems are regularly updated with the latest security patches. This helps mitigate vulnerabilities that could be exploited by malware.
Endpoint Protection: Deploy robust endpoint protection solutions that can detect and block info-stealing malware. These solutions should include features like anti-malware, anti-virus, and intrusion prevention systems (IPS).
Network Security: Strengthen network security measures by implementing firewalls, intrusion detection systems (IDS), and secure access controls. Regularly monitor network traffic for signs of malicious activity.
Incident Response Plan: Develop and regularly update an incident response plan that outlines the steps to be taken in case of a security breach. This plan should include procedures for containment, eradication, recovery, and post-incident analysis.
Collaboration with Security Communities: Engage with cybersecurity communities and share threat intelligence to stay informed about emerging threats and best practices for mitigation. Platforms like AlienVault’s Open Threat Exchange (OTX) provide valuable resources for sharing and receiving threat data.
The report by Microsoft Security highlights the importance of a proactive approach to cybersecurity. By understanding the tactics used by malicious actors and implementing robust security measures, organizations can significantly reduce their risk of falling victim to info-stealing malware campaigns. It is essential to remain vigilant and adaptable in the face of evolving threats, continuously updating defenses to stay ahead of potential attacks. For additional information on this malvertising campaign and detailed analysis of the tools and services used by attackers, please refer to the external references provided in the report: – https://otx.alienvault.com/pulse/67cacce2ff28f3af5baa75bc – https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/ In conclusion, the threat report published by CyberHunter_NL serves as a critical resource for security professionals and organizations seeking to protect themselves from sophisticated malvertising campaigns. By following the recommendations outlined in this report and staying informed about emerging threats, we can collectively enhance our cybersecurity posture and safeguard against information theft.
Threat Overview
A recent threat report published by AlienVault reveals a critical zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure VPN appliances. This vulnerability has been exploited since mid-December 2024, allowing unauthenticated remote code execution.
Exploited Vulnerability
* Vulnerability: CVE-2025-0282 in Ivanti Connect Secure VPN appliances
* Impact: Unauthenticated remote code execution
Used Malware Families
Attackers have deployed multiple malware families during these exploits, including:
* SPAWN: A backdoor capable of evading detection by hiding malicious processes.
* DRYHOOK: A multifunctional implant used for credential theft and privilege escalation.
* PHASEJAM: An advanced persistent threat (APT) tool designed to maintain persistence on compromised systems.
Reported Threat Actor Groups
The report mentions two China-nexus groups as potential actors involved in these attacks:
n* UNC5337, attributed to the Chinese Ministry of State Security.
* UNC5221, which has been linked to North Korea’s Lazarus Group.
Attack Tactics
Evidence suggests attackers are employing various tactics during their operations, such as:
* Disabling security features for persistence.
* Injecting web shells for remote access and command execution.
* Blocking system upgrades to prevent patch applications.
* Performing network reconnaissance to map target environments.
Recommendations
Based on the threat report, the following recommendations are suggested:
* Apply Ivanti’s released patches for CVE-2025-0282 as soon as possible.
* Use Ivanti’s Integrity Checker Tool to validate system integrity and detect unauthorized changes.
* Implement strict access controls and security measures to protect VPN appliances.
* Monitor network traffic for suspicious activity, such as unexplained spikes in outbound data transfer.
* Enhance overall cybersecurity posture with robust threat detection systems and incident response plans.
Report Details
The full threat report can be found at the following links:
* Google Cloud Blog: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
In the ever-evolving landscape of cyber threats, staying ahead of new tactics and techniques is crucial for maintaining robust security. The SonicWall threat research team recently uncovered a significant update in the Remcos infection chain, which has enhanced its stealth capabilities by patching AMSI scanning and ETW logging to evade detection. This discovery highlights the ongoing evolution of malware and the need for vigilant monitoring and proactive defense strategies.
The new variant of Remcos RAT (Remote Access Trojan) is particularly concerning because it targets European institutions, making it a critical threat for organizations in the region. The loader associated with this infection chain has previously been observed distributing Async RAT but has now expanded its functionality to include Remcos RAT and other malware families.
Remcos RAT is known for its ability to provide attackers with remote control over infected systems, allowing them to execute commands, steal data, and perform various malicious activities. The latest update introduces new evasion tactics that make it even more challenging to detect and mitigate. By patching AMSI (Antimalware Scan Interface) scanning and ETW (Event Tracing for Windows) logging, the malware can bypass traditional security measures and operate undetected for extended periods.
The implications of this threat are far-reaching. European institutions, including government agencies, financial organizations, and critical infrastructure providers, are at heightened risk. The stealthy nature of Remcos RAT means that infections could go unnoticed for months, allowing attackers to exfiltrate sensitive information or disrupt operations without detection.
To mitigate the risks associated with this new variant of Remcos RAT, organizations should consider the following recommendations:
Employee Training: Provide comprehensive training for employees on cybersecurity best practices, including recognizing phishing attempts and other social engineering tactics. Human error remains a significant factor in successful malware infections, so educating staff is crucial.
Patch Management: Ensure that all software and systems are up-to-date with the latest security patches. This includes not only operating systems but also third-party applications and plugins that could be exploited by attackers.
Incident Response Planning: Develop and regularly update an incident response plan to ensure a swift and effective response in case of a malware infection. This should include steps for containment, eradication, and recovery, as well as communication protocols for notifying stakeholders.
Use Advanced Endpoint Protection: Deploy advanced endpoint protection solutions that can detect and block sophisticated threats like Remcos RAT. These solutions should include features such as machine learning-based detection, real-time threat intelligence, and automated response capabilities.
Network Segmentation: Implement network segmentation to limit the lateral movement of malware within an organization’s network. By isolating critical systems and data, organizations can reduce the potential impact of a successful infection.
Regular Backups: Maintain regular backups of critical data and ensure that these backups are stored securely and can be quickly restored in case of a ransomware attack or data breach.
The discovery of this new variant of Remcos RAT underscores the importance of continuous monitoring and proactive defense strategies. Organizations must remain vigilant and adapt their security measures to address emerging threats effectively. By following the recommendations outlined above, European institutions can enhance their resilience against sophisticated malware attacks and protect their critical assets from potential breaches.
For more detailed information on this threat and the latest updates, please refer to the external references provided by SonicWall and AlienVault:
SonicWall Blog: https://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered
AlienVault OTX Pulse: https://otx.alienvault.com/pulse/67c8664cabae3f59536c42e2
Stay informed and stay secure.
Subscribe now to keep reading and get access to the full archive.