Threat Alert CenterLearn More About Our Detection and Response Services
Wiz Research has uncovered multiple critical unauthenticated remote code execution (RCE) vulnerabilities in theIngress NGINX Controller for Kubernetes, collectively known as IngressNightmare. These vulnerabilities enable attackers to execute arbitrary commands within the Ingress NGINX Controller’s pod without requiring authentication. As a result, they may gain unauthorized access to all secrets stored across namespaces in the Kubernetes cluster, ultimately leading to a full cluster compromise. Exploitation of these flaws poses severe security risks, including lateral movement within the environment and data exfiltration. The identified vulnerabilities include:
Ingress NGINX Controller versions prior to 1.12.1 and 1.11.5 are vulnerable.
Each of the identified vulnerabilities presents a unique risk to Kubernetes environments:
The CFC will continue to monitor the situation and send an advisory update if needed. Immediate action is required to mitigate potential exploitation by applying patches, restricting access, and enhancing security monitoring.Organizations should prioritize these measures to safeguard their cloud environments against potential threats.
Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
On March 21, security threat intel vendor CloudSEK published a report on a forum post from a threat actor claiming to have exfiltrated around 6 million records from Oracle Cloud SSO and LDAP, made the previous day. Included in the dumped data are JKS (Java Keystore) files, encrypted SSO passwords, key files, and enterprise manager JPS keys. CloudSEK’s communication with the threat actor suggests a possible undisclosed vulnerability affecting Oracle Cloud login infrastructure.
While it is currently unknown whether a vulnerability was exploited, this appears to have been the case. According to CloudSEK:
“it can be ascertained with medium con dence that the threat actor used an undisclosed vulnerability on Oracle WebLogic servers used for hosting the login pages for oraclecloud.com. By exploiting login endpoints for all regions, the threat actor was subsequently able to dump data pertaining to the underlying tenants.”
Affected organizations should change all SSO, LDAP, and associated credentials. Ensure passwords are strong and MFA is enforced. Additionally, report the issue to Oracle for verification of a possible zero-day and seek further mitigation.
The CFC will continue to monitor the situation and send an advisory update if needed. If this breach is found to have been due to a yet-undisclosed vulnerability, clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
On March 4th, Microsoft’s Threat Intelligence Center (MSTIC) uncovered three critical vulnerabilities in VMware products that are being actively exploited in the wild. Affected are VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform products, allowing remote code execution (RCE) and privilege escalation. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, were discovered following targeted threat actor activity. CISA has since added the bugs to its Known Exploited Vulnerabilities Catalog. Attackers can exploit these flaws to gain unauthorized access to systems, execute arbitrary code remotely, and escalate privileges, posing a significant risk to environments relying on these VMware solutions.
Two of these vulnerabilities are classified as Critical and pose significant risks to VMware users, while one, CVE-202522226, is marked as Important but still requires immediate attention due to its potential for data leakage.
The following table captures the essential details about the affected VMware products, versions, identified vulnerabilities, severity, and the fixed versions.
CVE-2025-22224: A Time-of-Check Time-of-Use (TOCTOU) vulnerability
CVSSv3: 9.3 – Critical Severity
A Time-of-Check Time-of-Use (TOCTOU) race condition in VMware ESXi and Workstation allows attackers with administrative VM privileges to exploit a heap overflow vulnerability in the VMX process. This grants attackers control over the host system, enabling lateral movement across virtualized environments.
CVE-2025-22225: Sandbox Escape via Arbitrary Write
CVSSv3: 8.2 – High Severity
Authenticated attackers can write arbitrary data to ESXi hosts through the VMX process, triggering sandbox escapes. By manipulating kernel memory, attackers escalate privileges to deploy malware or disrupt services. This is particularly dangerous in multi-tenant environments.
CVE-2025-22226: Hypervisor Memory Leakage
CVSSv3: 7.1 – Moderate Severity
An out-of-bounds read in VMware’s Host Guest File System (HGFS) enables attackers to extract sensitive data such as encryption keys and credentials from the VMX process. While less severe, this flaw provides valuable reconnaissance data for future attacks.
Ensure that the latest patches from VMware are applied to the following products:
The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
Tenable IDs:
The main subject of this article is to present our methods for clustering and identifying the purpose of an infrastructure. The most added value is the cross-referencing between public or private sources of information to create an infrastructure diagram to start producing intelligence and work with it in the long term.
As we see many blog posts about infrastructure tracking, we at Kudelski Security wanted to produce this article to show some methodologies and practical use cases based on internal research.
Decoding Threat Actor Infrastructure: A Case Study in Attribution
For that, instead of taking ‘Indicators of Compromise’ (IOCs) from an incident response, we are going to take a phishing campaign published by the CISA[1] against U.S and Israeli government officials as an example.
Figure 1: Mapping and enriched IPs from the attack
From the IPs we can see from this campaign, all of them have been attributed to the Iranian group Pioneer Kitten, UNC757. They have conducted numerous intrusions against organizations in the United States and other countries since 2017, with the majority of IPs found on this campaign; most of the IPs are linked to a hosting provider.
Figure 2: Reconstitution and enriched IOCs from the attack
When investigating an infrastructure like this, it is essential to identify similarities, recurring patterns, pivot points, historical data, and collected telemetry. By analyzing these elements, we can establish connections between different attack campaigns and uncover insights into the threat actor’s tactics, techniques, and procedures (TTPs). While we cannot provide an exhaustive breakdown here, leveraging structured intelligence sources enables a more comprehensive resource[2].
Figure 3: Plan from https://gopivot.ing/map/
During our investigation, we identified a potential overlap with Gamaredon by pivoting on historical DNS data. In August 2023, the domain hopers[.]ru was observed resolving to 206.71.148[.]78, a finding initially reported on the social media platform X.[3] Similarly, in this attack, Pioneer Kitten used the domain cloud.sophos[.]one to deliver malware, pointing to the same IP address. This pattern of infrastructure reuse underscores the importance of tracking historical data to map threat actor behaviors and identify operational connections.
After the collection phase, we need to save the findings in a cluster under a naming convention in case we can’t attribute them; it will save us some time in our future investigations if we find an infrastructure that overlaps with our previous findings.
A foundational framework in Cyber Threat Intelligence (CTI), the Diamond Model provides a structured approach to analyzing adversaries and their intrusions by examining four key elements. This model can be stored in an open CTI platform or a dedicated database—what matters most is ensuring it remains easily accessible for future analysis. The true value lies in its long-term utility, allowing analysts to continuously monitor, correlate, and exploit key indicators over time to refine attribution and strengthen threat intelligence efforts.
Figure 4: Diamond model of the assessed attack
Effective infrastructure analysis requires meticulous documentation, regardless of whether the infrastructure is confirmed as malicious. Threat actors frequently reuse networks, tools, and even operational mistakes, making historical records a valuable asset for tracking evolving tactics. By maintaining structured intelligence, analysts can efficiently identify overlaps, detect recurring patterns, and accelerate future investigations.
To illustrate this process, we will outline a two-step approach to clustering different infrastructures, using intelligence gathered from a leak related to North Korean IT workers as a case study.
Figure 5: Reconstituted infrastructure from North Korean IT workers
Using a PuTTY configuration file as a source[4], we have reconstructed a complete infrastructure. While its exact purpose remains unclear, our analysis—based on available intelligence—suggests the following:
Now that we have linked the network areas, units, and technologies used, we can begin to tag the infrastructure; according to your organization, you must use a naming convention, but for this article, we will do it in a simple way: [NK-NET-LC-08282024-CL-01]
NK: Country code according to the ISO 3166-1
NET: Type of infrastructure or attributed entity, “NET” for network
LC: Confidence level – This one stand for Low Confidence
08282024: Made the first time at the following date MMDDYYYY
CL: Analyst
01: Tag number of the infrastructure for each update add a new version with 01.1 -> 01.2 etc..
The infrastructure may not be exact, but the most important thing is to get as close as possible to the adversary infrastructure.
This serves as an example of how tagging can be used to categorize an unknown infrastructure. We strongly recommend storing this data securely, ensuring it remains easily accessible for future reference. Over time—whether months or even years later—new findings may reveal overlaps with previously identified infrastructures, providing valuable context and strengthening long-term threat analysis.
Next, we are going to put all the pieces together based on past data and findings.
Figure 6: Complete mapping of a North Korean infrastructure
While this example uses fabricated dates, it highlights a fundamental principle in threat intelligence—piecing together disparate infrastructure elements can reveal a more comprehensive picture of an adversary’s network.
Over time, continuous analysis allows intelligence teams to refine their assessments, identify behavioral overlaps, and track the evolution of threat actor infrastructure.[6][7][8] As seen in Mandiant’s reporting, the mapping of North Korean cyber operations has evolved significantly from 2022 to 2024, reinforcing the importance of long-term monitoring and iterative intelligence gathering.
Figure 7: Assessed structure of DPRK Cyber programs from Mandiant
If an analyst plans to adjust his infrastructure knowledge base with open-source data, he must acknowledge that some companies have different naming conventions for the same identified actors with naming groups by regions and subgroups terminologies; as an Intelligence analyst, it’s hard to track, this is due to multiple reasons, security companies track intrusion sets or threat actors without publishing them[9] and they need to use a naming convention to classify them, as we saw before. It can also be used for branding reasons, so security companies publish their documentation with their own naming conventions and get more people used to it. For example, the “APT” (Advanced Persistent Threat) designation has become a widely accepted naming convention for threat actors known for employing sophisticated, sustained attack techniques.
The lack of standardized naming conventions in threat intelligence stems from multiple factors.[10] Each intelligence provider brings a unique perspective on malicious infrastructure, malware, clusters, TTPs (Tactics, Techniques, and Procedures), IOCs (Indicators of Compromise), and the sharing of toolsets between different threat actors. Shifting alliances, operational overlaps, and evolving adversary behaviors further contribute to these variations, leading to discrepancies in how different intelligence teams classify and track threats.[11][12]
One key challenge is that attribution can vary significantly between intelligence providers. For instance, one provider may classify a single entity as a distinct threat actor, while another may interpret the same activity as belonging to multiple actors. These differences are often shaped by the methodologies, data sources, and investigative techniques used—ultimately influencing how adversary groups are identified and named.
To analyze an infrastructure based on open-source data, the analyst has to make sure to see each intelligence provider with a different point of view, and everything counts:
The activity matrix[13] aims to have a clear view of an organization, a specific operation or a campaign monitored by an intelligence team. Let’s take the Lazarus group for this one.
Figure 8: North Korean activity matrix
Most of the data come from the DOJ press release except for the “Operator A, B, C, D, E which is a generated data for the example
In threat intelligence analysis, a diamond symbol is often used within the matrix to denote an individual or entity that is no longer active. This structured approach helps analysts map an attacker’s organization, identify operational hierarchies, and detect both common and anomalous patterns within their tactics.
In this particular matrix, the U.S. Department of Justice (DOJ) serves as the sole data source, allowing us to distinguish between civilian and military operations conducted by known members of the Lazarus Group. Additionally, analyzing travel patterns can reveal key insights, such as identifying countries that may serve as proxy residences for operatives conducting cyber-attacks against their intended targets.
[1] https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf
[2] https://gopivot.ing/
[3] https://x.com/cyber0verload/status/1694448759055306800
[4] https://x.com/Bizarredect/status/1828750064673849389
[5] https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote
[6] https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/?hl=en
[7] https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023/?hl=en
[8] https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine?hl=en
[9] Attribution of advanced persistent threat; page 30
[10] https://cyb3rops.medium.com/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263
[11] https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU
[12] https://github.com/StrangerealIntel/EternalLiberty
[13] https://www.marines.mil/Portals/1/Publications/MCWP%202-6%20W%20Erratum%20Counterintelligence.pdf
Earlier this month we published an advisory about CVE-2025-0108, a vulnerability which allows an unauthenticated attacker to access the web management user interface of Palo Alto Networks’ PAN-OS and invoke certain scripts. Along with the aforementioned bug nine others were disclosed, all less severe as they offered less utility to potential attackers. Since the original time of writing, proof-of-concept exploit code for CVE-2025-0108 has been publicly released and used in the wild. Additionally, one of the nine less-severe bugs included in the PAN disclosure, CVE-2025-0111, has been upgraded from Medium severity/Moderate urgency to High severity/Highest urgency. It allows an authenticated attacker with access to the web management UI to read les on the PAN-OS lesystem which are readable by the nobody user, and Palo Alto has warned that CVE-2025-0111 is being chained with CVE-2025-0108 and CVE-2024-9474: to exactly what end is still unknown, but prior attacks involving CVE-2024-9474 and a vulnerability similar to CVE-2025-0108 resulted in the extraction of rewall con gurations and deployment of malware on compromised appliances. CISA has added CVE2025-0111 to its Known Exploited Vulnerabilities (KEV) catalog.
As with CVE-2025-0108, Palo Alto recommends restricting access to the management UI from external IPs, which greatly reduces the overall risk of exploitation, as well as patching to a PAN-OS version listed below. Additionally, customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510000 and 510001.
Furthermore, Palo Alto offers detection of internet-facing devices through their support portal:
The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
A recently discovered vulnerability, CVE-2025-0108, in Palo Alto Networks PAN-OS, allows an unauthenticated attacker with network access to bypass authentication and access the management web interface from which an attacker can also invoke specific PHP scripts. Although this doesn’t lead to remote code execution, it can compromise the integrity and confidentiality of the system.
In order to mitigate risk, Palo Alto recommends that access to the management interface be restricted to trusted internal IP addresses. Palo Alto confirms that a viable solution for affected PAN-OS versions is to upgrade to later PAN-OS versions. This issue does not affect Cloud NGFW or Prisma Access software, and Palo Alto Networks is not aware of any malicious exploitation of this issue.
Palo Alto recommends that access to the management interface be restricted to trusted internal IP addresses in accordance with best practices. Patched versions are available as well for the following PAN-OS versions :
The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
Ivanti has released security updates addressing nine vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC), and Ivanti Cloud Services Application (CSA). These flaws, which could lead to privilege escalation, arbitrary file reads, writes, and/or code execution, were identified in multiple versions of these products. Exploitation of one or more of these vulnerabilities could allow a remote attacker to gain full control of affected systems.
While there are no reports of these flaws being actively exploited, their potential for abuse is significant, especially given the history of Ivanti’s products being targeted by advanced threat actors. To mitigate these risks, Ivanti has recommended upgrading to the latest versions of the affected products.
While nine bugs have been disclosed as of time of writing, the four most severe are as follows:
The vulnerabilities detailed in this advisory are resolved in the latest versions of the affected Ivanti products:
These updated versions are available for download through the Ivanti portal (login required).
The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
A critical vulnerability (CVE-2025-23006) has been identified in SonicWall Secure Mobile Access (SMA) 1000 Series Appliances, potentially allowing for remote code execution (RCE). This vulnerability stems from a pre-authentication deserialization of untrusted data flaw in the Appliance Management Console (AMC) and Central Management Console
(CMC). Successful exploitation could enable an unauthenticated attacker to execute arbitrary OS commands, compromising system integrity.
SonicWall PSIRT has been notified of potential active exploitation of this vulnerability by threat actors. Organizations using affected SMA appliances should take immediate action to mitigate risks.
SonicWall SMA 1000 Series Appliances running version 12.4.3-02804 (platform-hotfix) and earlier.
Impacted Models: SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure), EX6000, EX7000, EX9000
Note: SonicWall Firewall and SMA 100 (SMA200, 210, 400, 410, and 500v) products are not affected by this vulnerability.
Tactic: Initial Access (TA0001)
Technique: Exploit Public-Facing Application (T1190)
A pre-authentication deserialization vulnerability in SonicWall SMA 1000’s AMC and CMC can allow a remote attacker to execute arbitrary OS commands. This can lead to full system compromise, allowing attackers to:
SonicWall has released patches addressing this vulnerability. Organizations should upgrade to the latest fixed version as soon as possible.
Impacted Models: SMA6200, SMA6210, SMA7200, SMA7210, SMA8200v (ESX, KVM, Hyper-V, AWS, Azure), EX6000, EX7000, EX9000
Note: SonicWall Firewall and SMA 100 (SMA200, 210, 400, 410, and 500v) products are not affected by this vulnerability.
Organizations should follow their internal patch management and testing guidelines before deploying updates to minimize operational disruptions.
If immediate patching is not possible, the following mitigations should be applied:
Organizations are advised to implement these workarounds until patches can be applied to mitigate the risk of exploitation.
This vulnerability poses a severe risk to organizations using SonicWall SMA 1000 appliances.Immediate actionis required to mitigate the threat by applying patches, strengthening network defenses, and implementing robust monitoring. Organizations should also prioritize long-term security measures such as vulnerability management, penetration testing, and access controls to minimize future risks.
The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
At Kudelski security, with the end of year approaching we have observed multiple vulnerabilities being exploited recently. This ranges from long-standing vulnerabilities like the Adobe Commerce (formerly Magento) with CVE-2024-34102 – dubbed “CosmicSting” to the very recent Cleo File Transfer Software Vulnerability (CVE-2024-50623), passing by Windows Lightweight Directory Access Protocol (LDAP) critical CVE-2024-49112. Our key message is to quickly act on vulnerabilities found in your environment. Please don’t let open vulnerabilities rot, one day or another it will backfire. And this is the time of the year, where we feel there is lots of vulnerabilities being exploited. The critical CVEs described below are not exhaustive, so we encourage our clients to rely on their vulnerability management practice to make sure no blatant hole is left unchecked.
A critical vulnerability, identified as CVE-2024-34102, was discovered in Adobe Commerce (formerly Magento). This vulnerability, part of a series dubbed “CosmicSting”, allows an attacker to exploit flaws in the system’s deserialization process, potentially leading to unauthorized access to sensitive data and even admin-level access to the REST API, GraphQL, or SOAP interfaces. As a result, attackers can gain full control over an application without proper authentication. This vulnerability is already seen actively exploited across Switzerland, further emphasizing the urgency of addressing the issue.
A critical vulnerability (CVE-2024-50623) in Cleo file transfer products, including Cleo VLTrader, Cleo Harmony, and Cleo LexiCom, has been actively exploited in the wild. This flaw, initially disclosed in October 2024, has led to unauthorized command execution, potentially compromising the integrity of affected systems. Despite patches being issued for affected versions (5.8.0.21), further vulnerabilities have been uncovered in versions up to 5.8.0.21, leading to an escalation in exploitation.
A critical remote code execution vulnerability (CVE-2024-49112) has been discovered in the Windows Lightweight Directory Access Protocol (LDAP) and has been disclosed as part of the recent Patch Tuesday from Microsoft. This vulnerability affects both LDAP clients and servers running affected versions of Windows, allowing unauthenticated remote attackers to execute arbitrary code within the context of the LDAP service.
The following versions of Cleo products are vulnerable to CVE-2024-50623 and a newly discovered vulnerability (CVEpending):
This vulnerability impacts several Windows operating system versions, including but not limited to:
A full list of affected versions and corresponding updates is included in the Microsoft Security Update table.
Reports of active exploitation began circulating on December 9, 2024. The vulnerability, which allows unauthenticated attackers to upload and execute arbitrary bash or PowerShell commands on vulnerable systems, targets a flaw in the Autorun directory of Cleo products. This is a critical security issue as it can lead to full system compromise without any authentication.
Rapid7 and Huntress have observed a range of post-exploitation activities, including the installation of modular backdoors and the enumeration of system information. Attackers have also exploited the NTLM hash of user accounts for lateral movement and privilege escalation, particularly using the “OverPass-The-Hash” technique. Other signs of exploitation include the execution of system commands like systeminfo, whoami, and nltest, as well as suspicious PowerShell commands.
Indicators of Compromise
CVE-2024-49112 is caused by an integer overflow issue in the processing of LDAP requests, which can lead to remote code execution. This vulnerability specifically affects versions of Windows where LDAP services are exposed via Remote Procedure Call (RPC). An attacker exploiting this vulnerability could gain control over the target system without needing authentication.
To mitigate the risk of exploitation:
The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
Cleo Product Security Advisory – CVE-2024-50623 – Cleo
Widespread exploitation of Cleo file transfer software (CVE-2024-50623) | Rapid7 Blog
Remote Code Execution Vulnerability
(By Naveen and KS threat research)
“Why hack into a system when you can politely just ask for it?”
Since early October 2024, Kudelski Security has observed an ongoing campaign in which threat actors employ a notably human interactive social engineering approach to infiltrate targeted networks. These attackers use Microsoft Teams to impersonate IT support personnel (vishing), where they contact employees directly, aiming to manipulate them into installing remote-access software, specifically AnyDesk, under the pretense of providing technical assistance.
The attack itself, with the exception of this initial phase, has the classical cybercrime techniques. It begins with a method known as registration bombing, where attackers register the victim’s corporate email address across hundreds of online platforms simultaneously. This tactic floods the victim’s inbox with spam from multiple legitimate domains, which bypasses standard spam filters and overwhelms the target’s email with what appears to be legitimate, unsolicited messages. Seeking help for this sudden influx of spam, the victim may then reach out to or be approached by the fake “IT support” team.
At this point, the threat actor initiates contact through a Microsoft Teams call, presenting themselves as an IT professional ready to assist. Speaking in the local language (in this case, German), they persuade the victim to install AnyDesk, ostensibly to resolve the email issue. Once granted access, the attackers quickly deploy a range of malicious binaries and begin laying the groundwork for broader network compromise.
Other security vendors have attributed this activity to affiliates of BlackBasta. Based on the techniques we’ve observed, we see strong similarities with cases we’ve previously worked on. That said, the attacks were detected and mitigated early, successfully preventing both data exfiltration and any disruption from potential encryption events. As a result, the only actions carried out by the threat actor were the initial steps, which are shared among most cybercriminal operations.
The key takeaway from this post is that while organizations typically have measures in place to defend against email threats—thanks to the wide range of vendor solutions available—it’s much harder to tackle side-channel threats via phone calls or messaging apps like WhatsApp, Signal, or Microsoft Teams. While sending an email to millions of recipients is relatively easy, making phone calls to that many individuals is far more complex. Despite this challenge, recent cyberattacks that combine email with follow-up phone calls have proven effective, and this technique could become more widespread among cybercriminal groups in the future. Shifting from a mass, opportunistic attack to a more targeted strategy that leverages human interaction creates a new threat landscape that is difficult for organizations to monitor and protect against. While phone-based social engineering may be one of the oldest hacking tactics, the rise of chat apps and mobile phones has made it even harder for organizations to gain visibility into these threats. The fact that cybercriminals are adopting these techniques shows that the barrier to entry is low.
Other vendors also published about this attack types: Microsoft[1], Reliaquest [2], rapid7 [3]. We are providing additional details and queries for hunting and detections.
This campaign’s initial phase is deceptively simple yet effective. Threat actors began by registering the victim’s business email across hundreds of legitimate sites in a technique known as registration bombing. The result is an immediate burst of verification emails and account creation emails each coming from a legitimate source. An account is created on variety of sources ranging from a florist in Czech Republic to an attorney in Chicago. This barrage of emails quickly overwhelms the victim’s inbox, causing sudden panic and helplessness in handling the situation on their own.
At first glance, it’s easy to question —if these emails are from legitimate domains and contain no malicious links, where’s the harm? The answer is simple: this isn’t typical phishing. By overwhelming the inbox, attackers create stress and confusion, making victims more likely to respond impulsively.
In the incidents that Kudelski Security responded to, that’s exactly what happened. Even the users who are typically careful with spam and phishing emails failed to respond with caution as they were in a sense of panic seeing continuous influx of registration emails in various languages that they were never exposed to in the past. The spam burst served as the foundation for what followed, the next phase of the attack: direct social engineering.
Right when the victim needed “IT Support”, the threat actor disguised as IT support, contacted the victim through Microsoft Teams, convincing them that they were there to resolve the spam issue.
The attacker, speaking in the local language (German), further built trust with the victim, making their approach appear even more legitimate. They assured the victim that the spam problem—one they had caused—could only be resolved by remotely accessing the victim’s computer.
Remote Access: Through the Teams chat, the threat actor instructed the user to download Remote Management Tool, AnyDesk from the official AnyDesk website. AnyDesk being commonly used by IT support and other teams, never raised a suspicion. After the user provided the access key, the attacker connects.
Once the victim followed the link and installed AnyDesk, the attacker gained full access to the system. They then transferred multiple malware files, including antispam.exe. When executed, the file triggered a Windows authentication screen titled “antispam filter,” reinforcing the illusion that they were installing a legitimate anti-spam solution. Trusting the process, the victim entered their credentials into the fake prompt.
At this point the threat actor had already managed to gain initial access into the host, obtained clear text credentials and also downloaded multiple malicious binaries needed for further steps in the attack. In addition, the threat actor also convinced the victim to take a break while they work on this “issue”.
Based on the logs, we couldn’t determine whether the German-speaking individual was also the one carrying out the technical operation on the host, or if this task was the result of collaboration. This distinction is important because, if it was not the same person, it could suggest that an individual was hired to provide L1 IT support in the local language, without knowing his work was in support for malicious cyber operations. The statement of work would involve assisting legitimate IT support in installing the remote agent before escalating the ticket to L2 support, where the actual threat actor is involved.
Once the remote access tool is installed, the attack progresses to a more traditional ransomware or cybercrime group technique. At this point, we revert to classic ransomware tactics, techniques, and procedures (TTPs), which can typically be detected by conventional endpoint security products.
Once the threat actor gained access to the host, they immediately dropped a series of malicious binaries onto the system.
Even if the victim pays attention during the AnyDesk session, they are very likely to assume that the “fake” IT support was working to fix the spam problem as all the binaries were named “antispam”. This prevents users from raising suspicion.
Each of the dropped binaries served a distinct purpose, with some recognized as known malicious files, but many of them were unknown hashes at the time of our Incident Response engagement.
Antispam.exe: Credential Theft and System Enumeration
When executed, the antispam.exe binary triggered a Windows pop-up titled “spam filter update,” and asks for victim’s username and password. Once the victim enters their credentials, the username and password is validated against the domain and both the username and password entered by the user are saved in clear text to the “qwertyuio.txt” file. If invalid credentials were entered, the file would record the input along with a note indicating that the credentials were invalid, and the window pops up again asking the user to re-enter their username and password.
In addition to capturing credentials, the binary performed basic system enumeration, running commands such as systeminfo, route print, and ipconfig /all. The output of these commands was also saved to the qwertyuio.txt file.
Once the clear-text credentials were captured, the threat actor used the AnyDesk session to copy the qwertyuio.txt file from the victim’s system, further enabling their attack on the network.
Antispam.exe (SHA1: 1a3f14465460a61e012d11cccf301424f2c0f11d)
The functionality of the antispam_account.exe binary was straightforward— create a machine account with a hardcoded password. The initial binary was detected and blocked by Microsoft Defender; however, the threat actor dropped a modified version the binary to bypass the detection and execute it.
When we analyzed the modified binary in our lab, we found that it failed to create the machine account. However, in a parallel investigation that Kudelski Security was responding to, we extracted another version of the binary and that successfully created a machine account named SRVVSSKL$ with a hardcoded password: GCmtHzw8uI$JnJB
From a defender’s perspective, it’s crucial to monitor for such machine account creations and ensure that the new account’s activities are also reviewed during the investigation
Antispam_account.exe (SHA1: dccca05c9833b78dc75c7045e80056b35815ae93, 093693a336c4ab28a4e1a3e7999a0bc6cee4ba05)
The antispam_connect_eu.exe and antispam_connect_us.exe are the SystemBC binaries dropped by the threat actor to establish tunnel and maintain persistence even after the AnyDesk session is over. SystemBC is a proxy malware that leverages SOCKS5. This provides the ability for the attacker to launch the attacks against the domain as if their workstation is directly connected to your network. SystemBC also allowed the threat actor to deploy additional tooling to launch their attacks.
The antispam_connect_eu.exe managed to establish successful connection with the Command and Control (C2) IP, 157.20.182.233. This was heavily used by the threat actor to perform Enumeration (Sharphound, Impacket, etc.) as well as for the lateral movement attempts.
Antispam_connect_eu.exe: (SHA1: 517a916a794161deabf13ff2cd45956b8b918eb4)
antispam_connect_us.exe: (SHA1: 192b284e7bc7f43f1723d99b62bdbfe71334ce10)
Antispam_connect_1i.exe:
The antispam_connect_1i.exe binary was particularly noisy, initiating numerous external connections, including multiple Russian IPs. IPs that it reached out to: 46.8.232.106, 46.8.236.61, 93.185.159.253, 188.130.206.243.
As soon as the binary was executed, it attempted to establish persistence. For victim having enabled the Software Restriction Policy (SRP), it blocked PowerShell execution on the system.
powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\redacted\antispam_connect_1i.exe\" }"
antispam_connect_1i.exe: (SHA1: db2067ddaa6a3396238dc3353ec1edccc0dd9030)
Once the threat actor established a SOCKS proxy tunnel using SystemBC, they performed extensive enumeration activities against the domain.
They used multiple common public offensive tools for enumeration such as SharpHound ( to map Active Directory structures and relationships), Impacket modules—such as wmiexec.py, psexec.py, and smbexec.py and so on.
Multiple lateral movements paths were attempted, but none of them were successful.
Named pipes in SMB, accessed via the IPC$ share over TCP port 445, are leveraged by threat actors for lateral movement within a network. They enable a range of operations, from NULL session contexts to those requiring local administrative privileges. For instance, svcctl facilitates the creation, starting, and stopping of services to execute commands on remote hosts, a functionality utilized by tools like Impacket’s psexec.py and smbexec.py.
We could see the attempts to open svcctl and SMB access over the remote host via IPC$ share. Monitoring for unauthorized service creation can be done through capturing the 4679 events.
During the lateral movement using RDP and Network logons, devices named vultr-guest and callous-cause.aeza.network were detected, indicating the threat actor’s infrastructure used in the lateral movement attempts.
Kerberoasting is an attack against service accounts that allows an attacker to perform an offline password-cracking attack against the Active Directory account associated with the service.
About 30 minutes into the AnyDesk session, the threat actor executes an LDAP query to enumerate Kerberoastable accounts (user accounts with a Service Principal Name (SPN) set). This was immediately followed by the initiation of the Kerberoasting attack itself.
(&(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=redacted,DC=com)(!(userAccountControl&2))(servicePrincipalName=*))
Kerberoasting is a technique frequently used by threat actors, and in the majority of ransomware cases our CSIRT has responded to, we’ve observed it being attempted — often being successful. We highly recommend reviewing Microsoft’s guidance on Kerberoasting here and apply necessary mitigation measures.
For detection and threat hunting, we focus on the initial phase of the attack, as the more traditional cybercrime TTPs are already well-documented in numerous blog posts.
Alert when a user is at risk:
CloudAppEvents | where Application == "Microsoft Teams" and ActionType == "MessageCreatedHasLink" and //left to keywords like anydesk, if needed RawEventData.MessageURLs has_any("") and // remove this line of phishing done from an internal user account RawEventData.ParticipantInfo.HasForeignTenantUsers == true
CloudAppEvents | where Application == "Microsoft Teams" and ActionType == "MessageCreatedHasLink" and RawEventData.ParticipantInfo.HasForeignTenantUsers == true and RawEventData.CommunicationType == "OneOnOne" | summarize count(), min_value=min(['TimeGenerated']), max_value=max(['TimeGenerated']) by tostring(RawEventData.UserTenantId), ActionType, tostring(RawEventData.MessageURLs)
EmailUrlInfo
// Filter for URLs related to password resets coming from wordpress
| where Url contains 'wp-login.php?action=rp'
| project NetworkMessageId, Url, UrlDomain
| join kind=inner (EmailEvents) on NetworkMessageId
| summarize
Count = count(),
Urls = make_list(Url)
by RecipientEmailAddress
This query identifies emails from WordPress, as they make up a significant portion of registration bombing attempts. However, additional patterns can also be incorporated.
A well-configured Active Directory setup, along with endpoint hardening, are effective measures to slow down or even block threat actors. We strongly recommend that organizations conduct annual configuration reviews. Our incident response team’s data shows that addressing these areas can significantly reduce the impact of a breach. However, this blog post will focus on those initial steps.
Remote access tools are widely used, and in large organizations, it’s common to have multiple such tools installed. This often happens because different local IT teams rely on different remote access solutions for support. To address this, organizations should define a set of approved support tools and establish a standardized installation process. This allows for the creation of detection rules to identify any tools that deviate from the authorized list or were installed outside the defined procedure. Additionally, we recommend blocking the domains associated with these remote access tools at the host level. We advise against only doing this at the corporate firewall level, as many organizations’ home office policies mean that not all traffic is routed through the corporate environment, leaving users vulnerable. You can find the list of proposed blocking in the annexes.
To enhance the security of your Microsoft Teams environment and prevent unauthorized access, it is recommended to block external or unknown tenants from being able to interact with your organization’s Teams environment. However again it depends on your organization context and needs.
Configure External Access Settings:
Control Guest Access:
Review and Restrict “Teams” Guest Permissions:
Block external users to contact user in your organization
Contact us here if you have any questions or if you need support in responding to such a situation.
We recommend blocking the following domains to prevent successful connections from commonly used remote access tools. Before implementing this block at the host level, it is essential to verify that no department is utilizing these tools for legitimate purposes. Additionally, keep in mind that the IP address associated with the domain can be changed to one owned by your organization, allowing you to display a custom message to users attempting to connect. Credit to https://github.com/LivingInSyn/RMML for providing the domains used for the connection.
Some remote access tools, such as RustDesk, require additional security measures because threat actors can set up their own infrastructure, allowing them to use any domain they choose.
We provide an example using the lmhosts file on Windows systems. However, these block lists can also be implemented through EDR and firewall rules. Adapt them to suit your organization’s setup.
# Network blocking anydesk
127.0.0.1 *.net.anydesk.com
# Network blocking atera
127.0.0.1 pubsub.atera.com
127.0.0.1 pubsub.pubnub.com
127.0.0.1 agentreporting.atera.com
127.0.0.1 app.atera.com
127.0.0.1 agenthb.atera.com
127.0.0.1 packagesstore.blob.core.windows.net
127.0.0.1 ps.pndsn.com
127.0.0.1 agent-api.atera.com
127.0.0.1 cacerts.thawte.com
127.0.0.1 agentreportingstore.blob.core.windows.net
127.0.0.1 atera-agent-heartbeat.servicebus.windows.net
127.0.0.1 ps.atera.com
127.0.0.1 atera.pubnubapi.com
127.0.0.1 appcdn.atera.com
127.0.0.1 atera-agent-heartbeat-cus.servicebus.windows.net
127.0.0.1 ticketingitemsstoreeu.blob.core.windows.net
127.0.0.1 a32dl55qcodech-ats.iot.eu-west-1.amazonaws.com
# Network blocking fleetdeck
127.0.0.1 ‘*.fleetdeck.io’
127.0.0.1 fleetdeck.io
127.0.0.1 fleetdm.com
# Network blocking gotomypc
127.0.0.1 ‘poll.gotomypc.com’
# Network blocking level.io
127.0.0.1 agents.level.io
127.0.0.1 online.level.io
127.0.0.1 builds.level.io
127.0.0.1 downloads.level.io
# Network blocking ninjarmm
127.0.0.1 ‘*.ninjarmm.com’
127.0.0.1 ‘*.ninjarmm.net’
127.0.0.1 ‘*.rmmservice.com’
# Network blocking QuickAssist
127.0.0.1 remoteassistance.support.services.microsoft.com
127.0.0.1 ‘*.support.services.microsoft.com’
127.0.0.1 remoteassistanceprodacs*
# Network blocking ScreenConnect
127.0.0.1 myconnectwise.com
127.0.0.1 connectwise.com
127.0.0.1 screenconnect.com
127.0.0.1 itsupport247.net
# Network blocking Splashtop
127.0.0.1 ‘*.splashtop.com’
127.0.0.1 ‘*.splashtop.eu’
# Network blocking Supremo
127.0.0.1 ‘*.nanosystems.it’
127.0.0.1 ‘*.supremocontrol.com’
# Network blocking tailscale
127.0.0.1 ‘*.tailscale.com’
127.0.0.1 ‘*.tailscale.io’
# Network blocking teamviewer
127.0.0.1 ‘*.teamviewer.com’
# Network blocking VSCodeTunnel
127.0.0.1 ‘*.tunnels.api.visualstudio.com’
127.0.0.1 ‘*.devtunnels.ms’
# Network blocking ZohoAssist
127.0.0.1 ‘*.zoho.com’
127.0.0.1 ‘*.zoho.eu’
127.0.0.1 ‘*.zoho.in’
127.0.0.1 ‘*.zoho.com.au’
127.0.0.1 ‘*.zoho.com.cn’
127.0.0.1 ‘*.zohoassist.com’
127.0.0.1 ‘*.zohoassist.jp’
127.0.0.1 ‘*.zohoassist.com.cn’
127.0.0.1 downloads.zohodl.com.cn
127.0.0.1 downloads.zohocdn.com
127.0.0.1 gateway.zohoassist.com
# Network blocking ngrok
127.0.0.1 ‘*.ngrok-agent.com’
127.0.0.1 ‘update.equinox.io’
127.0.0.1 ‘tunnel.ngrok.com’
127.0.0.1 ‘tunnel.*.ngrok.com’
Recently released were two vulnerabilities, CVE-2024-9486 (CVSS 9.8) and CVE-2024-9594 (CVSS 6.3), that impact the Kubernetes Image Builder. The vulnerabilities can be utilized to gain root access to Kubernetes nodes given the proper circumstances. Certain image build providers did not disable default administrative credentials after the build process, allowing potential attackers root access to nodes after deployment in some cases. The vulnerabilities are resolved with Image Builder version v0.1.38; rebuilding and redeploying of impacted images is advised.
The vulnerabilities impact all versions of Image Builder up to and including Image Builder v0.1.37 when providers Proxmox (most severe), Nutanix, OVA, QEMU, and/or raw are utilized.
CVE-2024-9486:
This vulnerability is for the specific combination of an impacted Image Builder version, alongside the use of the Proxmox provider. In this scenario default credentials are enabled during the build process and are not properly disabled after build completion. That allows for the nodes using the images to be accessible with the credentials, which can be used for root access. This is resolved in v0.1.38 by the creation of randomly generated passwords only functional during the building of the image. It is confirmed that the builder account is then disabled upon completion of the image build.
CVE-2024-9594:
This vulnerability is similar in nature to CVE-2024-9486 with some variances. This vulnerability focuses on the usage of Nutanix, OVA, QEMU, and raw providers. More importantly, this vulnerability is only exploitable during the image deployment cycle, rather than allowing for access after the image build is completed. That results in the lower CVSS score assigned to it.
The CFC recommends taking the following actions where possible:
What is the CFC doing?
Kudelski Security has not observed or received indicators of active exploitation of these flaws. The CFC will continue to monitor the situation and send an advisory update as more information becomes available.
Splunk has disclosed several high-severity vulnerabilities in Splunk Enterprise and Splunk Cloud Platform, which allowattackers to execute remote code on vulnerable systems. The vulnerabilities, including CVE-2024-45733, CVE-2024-45731,and CVE-2024-45732, pose serious security risks and demand immediate attention.
In addition to the remote code execution fl aws, Splunk has also addressed vulnerabilities in third-party packages (idna,certifi ) used in the AWS Add-on.
Two major vulnerabilities, CVE-2024-45731and CVE-2024-45733, could allow attackers to execute remote code on affected systems. CVE-2024-45731 affects Windows environments with Splunk installed on a separate disk, enabling attackers to drop malicious DLLs into the root directory. CVE-2024-45733 is tied to insecure session storage in versions below 9.2.3 and 9.1.6.
Several flaws, like CVE-2024-45732, grant low-privileged users excessive access, such as running unauthorized searches and exposing sensitive data. Additional vulnerabilities allow viewing of host images, crashing the daemon, and manipulating App Key Value Store settings.
Splunk also addressed vulnerabilities related to information disclosure (CVE-2024-45738, CVE-2024-45739) and cross-site scripting (CVE-2024-45740, CVE-2024-45741), which could expose sensitive data or enable malicious script injection.
Please find below the full list of desclosed vulnerabilities:
Additional Information: Splunk has also addressed vulnerabilities in third-party packages (idna, certifi) used in the AWSAdd-on.
Action Required: Apply patches immediately and review security settings to prevent exploitation.
Detection: To detect potential exploitation related to CVE-2024-45731 and CVE-2024-45733, Splunk has releasedcorresponding correlation search: Detection: Splunk RCE Through Arbitrary File Write to Windows System Root | SplunkSecurity Content
The CFC will identify and patch affected versions immediatelly to mitigate potential attacks. We will continue to monitorthe situation and send an advisory update if needed.
