Ivanti VPN zero-day exploitation campaign
Since mid-December, an Ivanti ConnectSecure VPN zero-day (CVE-2025-0282) has been exploited by a Chinese threat actor – apparently UNC5337, a group possibly related to the threat actor behind the January 2024 wide scale campaign which targeted various Ivanti zero-days (UNC5221). Moreover, the vulnerability has been used to deploymultiple strains of malware and it is plausible that other threat groups arealso targeting it. The flaw impacts additional Ivanti products (Policy Secure and Neuronsfor ZTA), for which a patch is scheduled only on January 21. So far, the attacks have successfully compromised a number of victims, including Nominet - the official UK domain registry operating more than 11 million .uk, .co.uk, and .gov .uk domain names.
BeyondTrust, the US Treasury and Silk Typhoon
Silk Typhoon (aka Hafnium) is the actor responsible for the hack of the US Treasury, accessed through the exploitation of the recently reported BeyondTrust vulnerability (CVE-2024-12356). The flaw was apparently chained with another BeyondTrust weakness (CVE-2024-12686)- a medium-severity vulnerability allowing command injection for attackers with admin privileges. Furthermore, it now appears that the group specifically targeted the Office of Financial Research and the Committee on Foreign Investment (CFIUS), an agency responsible for reviewing foreign investments’ risks to national security. Silk Typhoon is a sophisticated Chinese group known for exploiting vulnerabilities in Internet-facing servers for initial access, especially ProxyLogon (CVE-2021-26855/7/8, CVE-2021-27065)and Log4j (CVE-2021-44228).
A vuln Aviatrix Controller compromises AWS environments
A critical command injection vulnerability in AviatrixController (CVE-2024-50603) is currently exploited in the wild by different groups, mostly for cryptojacking and persistence-enabling backdoor deployment. Since Aviatrix Controller owns high privileges in AWS environments, exploiting the vulnerability might provide an attacker with privilege escalation and lateral movement. The vulnerability is easily exploitable and can be triggered through a single crafted API request. Aviatrix Controller is a network connectivity tool considered to be used in around 3% of cloud and hybrid environments.
Mitigate it
Block access from 83.222.191.146
Russian hackers against the healthcare industry
ExcelsiorOrthopaedics, a New York-based healthcare company, admitted that it suffered a data breach in June 2024 which impacted 357K individuals. A Russian gang named Monti ransomware took credit for the attack. Monti’s executive, Mikhail Matveev (aka “Wazawaka”),is a well-known Russian hacker who participated in the past in various notorious gangs (such as Lockbit, Babuk or Hive) and who is skilled in exploiting vulnerabilities in a wide range of products, including in Fortinet, Citrix, Mobile Iron,and Papercut.
24K GFI KerioControl firewalls exposed to a new vuln
Multiple threat actors are exploiting a one-click vulnerability in GFI KerioControl firewall (CVE-2024-52875), apparently triggered through social engineering tactics. The flaw allows CRLF injection, leading to reflected cross-site scripting (XSS). Around 24K KerioControl firewalls are internet-facing, many of them in Iran.
Mitigate it
Block access from 47.128.192.115, 18.138.68.225, 18.138.1.114, 54.151.252.177, 52.220.229.79, 3.0.227.168, 47.128.87.232, 47.128.167.47 and 8.218.168.197
Hellcat keeps on compromising Kira accounts
The Hellcat ransomware broke into Jira accounts of the Spanish telecommunication company Telefonica and stole 2.3G of sensitive data. Hellcat is a recently formed group led by a Moroccan teenager and which became famous last November when it successfully infiltrated the Jira environment of Schneider Electric. It apparently specialized in exploiting niche software vulnerabilities.
Mitigate it
Track the SHA256 hash: 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfabf
Exploitation of a new Fortigate zero-day
Since mid-November,unidentified threat actors are targeting internet-facing management interfaces of Fortigate Firewall devices, through a Fortigate zero-day (CVE-2024-55591). The attackers logged in the management interfaces to make configuration changes, then leveraged SSL VPN access to extract credentials for lateral movement. The campaign, which already compromised various organizations, seem opportunistic rather than targeted.
Mitigate it
Disable HTTP/HTTPS administrative interface or follow Fortinet’s instructions on defining a Local in Policy to restrict access only to a predefined group on management interface
Record breaking "Patch Tuesday" for Microsoft
Microsoft patched three actively exploited zero-days in Windows Hyper-V's NT Kernel (CVE-2025-21333-5).The three, considered easily exploitable, allow attackers with low permissions to gain system-level privileges. They apparently were used in post-compromise scenarios. The released fixes were part of a record breaking “Patch Tuesday” addressing no less than 159 vulnerabilities.
Fake LDAPNightmare POC downloads malware
A fake POC exploit for the recent LDAPNightmare vulnerability (CVE-2024-49113), placed on a malicious Github repository, forces users to download an infostealer malware which exfiltrates sensitive data to an external FTP server. LDAPNightmare is a recently patched critical vulnerability allowing an attacker to send crafted requests and execute arbitrary code within the context of the LDAP service.
MirrorFace Vs Japan
Japan’s cybersecurity agency raised an alarm about MirrorFace, a sub-group of the Chinese espionage group APT10 which focuses on Japanese organizations. The threat actor, which was known in the past for its sophisticated phishing operations against the academic and government sectors, has shifted in 2023 to exploiting network devices’ vulnerabilities against different industries including healthcare, manufacturing, communications, education, and aerospace. Among others, it has leveraged flaws in Fortinet FortiOS (CVE-2023-28461), Citrix ADC (CVE-2023-27997) and Citrix Gateway (CVE-2023-3519).
US National infrastructures are getting better at remediating vulnerabilities
CISA reported that US national infrastructures have improved their remediation effort against exploited vulnerabilities. For example, from 2022 to 2024, average remediation times for highly-severe and critical exploited flaws on Internet-facing assets have been reduced from 60 to 30 days. For SSL vulnerabilities and misconfigurations, it even dropped from 197 days to only 12.
Mitigate it
Mitigate it
Mitigate it
Sources
