Discover more from ESSGroup
Subscribe to get the latest posts sent to your email.
Threat Overview
A recent threat report published by AlienVault reveals a critical zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure VPN appliances. This vulnerability has been exploited since mid-December 2024, allowing unauthenticated remote code execution.
Exploited Vulnerability
* Vulnerability: CVE-2025-0282 in Ivanti Connect Secure VPN appliances
* Impact: Unauthenticated remote code execution
Used Malware Families
Attackers have deployed multiple malware families during these exploits, including:
* SPAWN: A backdoor capable of evading detection by hiding malicious processes.
* DRYHOOK: A multifunctional implant used for credential theft and privilege escalation.
* PHASEJAM: An advanced persistent threat (APT) tool designed to maintain persistence on compromised systems.
Reported Threat Actor Groups
The report mentions two China-nexus groups as potential actors involved in these attacks:
n* UNC5337, attributed to the Chinese Ministry of State Security.
* UNC5221, which has been linked to North Korea’s Lazarus Group.
Attack Tactics
Evidence suggests attackers are employing various tactics during their operations, such as:
* Disabling security features for persistence.
* Injecting web shells for remote access and command execution.
* Blocking system upgrades to prevent patch applications.
* Performing network reconnaissance to map target environments.
Recommendations
Based on the threat report, the following recommendations are suggested:
* Apply Ivanti’s released patches for CVE-2025-0282 as soon as possible.
* Use Ivanti’s Integrity Checker Tool to validate system integrity and detect unauthorized changes.
* Implement strict access controls and security measures to protect VPN appliances.
* Monitor network traffic for suspicious activity, such as unexplained spikes in outbound data transfer.
* Enhance overall cybersecurity posture with robust threat detection systems and incident response plans.
Report Details
The full threat report can be found at the following links:
* Google Cloud Blog: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
Subscribe to get the latest posts sent to your email.
Lorem Ipsum is simply dummy text of the printing and typesetting
industry. Lorem Ipsum has been the industry's
Threat Overview
In today’s digital landscape, cyber threats are evolving at an unprecedented pace. The latest threat report highlights a new actor group that has been actively targeting various industries with sophisticated malware obfuscation techniques. This report provides an in-depth analysis of the tactics, techniques, and procedures (TTPs) employed by this group, along with recommendations for mitigation.
The actor group behind these attacks is known for its advanced capabilities in malware development and deployment. They have been observed using a variety of obfuscation methods to evade detection and analysis. These techniques include code encryption, polymorphic code, and the use of legitimate tools and services to carry out malicious activities. The group’s primary goal appears to be data exfiltration and disruption of critical infrastructure.
The report details several key findings:
Malware Obfuscation: The malware used by this actor group employs multiple layers of obfuscation, making it difficult for traditional antivirus solutions to detect and analyze. This includes the use of encrypted payloads and polymorphic code that changes its structure with each execution.
Use of Legitimate Tools: The attackers have been observed using legitimate administrative tools and services to carry out their malicious activities. This tactic, known as
In early February 2025, the eSentire Threat Response Unit detected a sophisticated phishing attack associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication (MFA). This threat report delves into the details of this attack, its implications, and provides recommendations for mitigating such threats.
The attack began with a spam email containing a link to a phishing PDF hosted on OneDrive. Unsuspecting users who clicked the link were redirected to a fake Office 365 login page. This phishing page was protected by Cloudflare Turnstile, a service designed to prevent automated scanners from accessing it, adding an extra layer of deception.
Sneaky2FA is particularly dangerous because it captures not only user credentials but also 2FA codes. By doing so, the attackers gain session cookies that allow them to access accounts without triggering any MFA prompts. This method effectively bypasses the security measures put in place by multi-factor authentication systems.
The phishing operators were observed using stolen cookies to add additional MFA methods to compromised accounts. This tactic allows them to maintain persistent access even if the initial credentials are changed. The use of VPN and proxy services further obscures their activities, making it difficult for security teams to trace the origin of the attacks.
The sophistication of Sneaky2FA enables a range of damaging follow-on activities. Once inside an organization’s network, attackers can exfiltrate sensitive emails, launch spam campaigns, and conduct Business Email Compromise (BEC) attacks. These activities can lead to significant financial losses and reputational damage for the targeted organizations.
To mitigate the risks posed by Sneaky2FA and similar threats, organizations should implement a multi-layered security approach. Here are some recommendations:
Incident Response Plan: Develop and regularly update an incident response plan to quickly detect, respond to, and mitigate the impact of phishing attacks. Ensure that all employees are aware of their roles and responsibilities during a security incident.
Regular Audits: Conduct regular security audits to identify vulnerabilities in your systems and processes. Address any identified weaknesses promptly to minimize the risk of successful attacks.
Third-Party Risk Management: Evaluate the security practices of third-party vendors and service providers. Ensure that they adhere to stringent security standards and regularly review their compliance with these standards.
The detection of Sneaky2FA highlights the evolving nature of cyber threats and the need for organizations to stay vigilant. By implementing robust security measures and fostering a culture of cybersecurity awareness, organizations can better protect themselves against sophisticated phishing attacks and other malicious activities.
For additional information on this threat report, please refer to the following external references:
This report underscores the importance of staying informed about emerging threats and taking proactive steps to enhance cybersecurity defenses. By understanding the tactics used by attackers like Sneaky2FA, organizations can better prepare themselves to defend against similar threats in the future.
Threat Overview
The cyber threat landscape continues to evolve, with emerging threats posing significant risks to organizations worldwide. The Akira ransomware, first identified in late 2023, has since grown into a major concern for global cybersecurity. This report summarizes the tactics, techniques, and procedures (TTPs) of Akira ransomware, along with recommended defenses.
Threat Actor Group
Akira ransomware is believed to be attributed to a Russian-based threat actor group, operating actively since early 2023. With several active strains, including v2 and Megazord, this group has engaged in a high volume of attacks over the past year.
Tactics, Techniques, and Procedures (TTPs)
The report highlights the following TTPs employed by Akira ransomware:
Recommended Defenses
To mitigate risks associated with Akira ransomware, organizations are advised to:
Organizations should stay informed about Akira ransomware’s active strains and monitor their ecosystems for patterns of compromise to mitigate potential attacks effectively.
Subscribe now to keep reading and get access to the full archive.