Weekly Threat Landscape Digest – Week 8

1. High-Severity Vulnerability in Citrix NetScaler Console & Agent (CVE-2024-12284)

A high-severity vulnerability (CVE-2024-12284, CVSS 8.8) has been discovered in NetScaler Console (formerly NetScaler ADM) and NetScaler Agent, allowing privilege escalation and potential system compromise.

Affected Versions:

• NetScaler Console: Versions 14.1 before 14.1-38.53 and 13.1 before 13.1-56.18.
• NetScaler Agent: Versions 14.1 before 14.1-38.53 and 13.1 before 13.1-56.18.

Mitigation:

• Update to NetScaler Console 14.1-38.53+ or 13.1-56.18+.
• Update to NetScaler Agent 14.1-38.53+ or 13.1-56.18+.

Reference:

• Citrix Security Bulletin: https://support.citrix.com/s/article/CTX692579-netscaler-console-and-netscaler-agent-security-bulletin-for-cve202412284?language=en_US 

2. Security Updates – Mozilla Firefox (CVE-2025-1414)

Mozilla has released a high-severity security update for Firefox to patch a memory safety vulnerability (CVE-2025-1414) that could lead to remote code execution and complete system compromise if exploited.

Vulnerability Details:

• CVE-2025-1414: Memory safety flaws allowing arbitrary code execution.
• Impact: Attackers could exploit this vulnerability to execute malicious code, potentially gaining control over the system.

Affected Versions:

• Firefox versions before 135.0.1.

Mitigation:

• Update Firefox to version 135.0.1 immediately to protect against potential exploits.

Reference:

• Mozilla Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2025-12/

3. Security Updates – Google Chrome (Multiple CVEs)

Google has released critical security updates for Google Chrome to address multiple high and medium-severity vulnerabilities that could be exploited for arbitrary code execution, system compromise, and data leaks.

Vulnerability Details:

• CVE-2025-0999 (High) – Heap buffer overflow in V8
  • A flaw in Chrome’s JavaScript engine that could allow remote code execution and system takeover.
• CVE-2025-1426 (High) – Heap buffer overflow in GPU
  • A vulnerability in the GPU process that could cause data leaks, crashes, or potential system compromise.
• CVE-2025-1006 (Medium) – Use-after-free in Network
  • A memory mismanagement issue that may cause crashes or be exploited for privilege escalation.

Affected Versions:

• Windows, Mac, Linux: Versions before 133.0.6943.126/.127
• Android: Versions before 133.0.6943.121
• iOS: Versions before 133.0.6943.120

Mitigation:

• Update Google Chrome to the latest versions to protect against potential exploits.

References:

• Chrome Release Notes: https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html
• Google Chrome Security Updates: https://chromereleases.googleblog.com/

4. Critical Vulnerabilities in OpenSSH (CVE-2025-26465 & CVE-2025-26466)

Security researchers have reported two critical vulnerabilities in OpenSSH, affecting both the OpenSSH client and server. These flaws expose systems to man-in-the-middle (MITM) attacks and pre-authentication denial-of-service (DoS) attacks.

Vulnerability Details:

1. CVE-2025-26465 – Machine-in-the-Middle Attack (MITM) on OpenSSH Client
   • Affects OpenSSH clients with VerifyHostKeyDNS enabled.
   • Allows attackers to intercept and manipulate SSH connections, potentially leading to unauthorized access and data theft.
   • The vulnerability impacts FreeBSD systems where VerifyHostKeyDNS was enabled by default from September 2013 to March 2023.
2. CVE-2025-26466 – Pre-authentication DoS Attack on OpenSSH Server
   • Affects OpenSSH client and server, enabling attackers to consume excessive memory and CPU resources.
   • Can lead to system slowdowns, crashes, or service outages.
   • No authentication required, making it easier to exploit remotely.

Affected Versions:

• CVE-2025-26465: OpenSSH 6.8p1 – 9.9p1
• CVE-2025-26466: OpenSSH 9.5p1 – 9.9p1

Mitigation:

• Upgrade OpenSSH to version 9.9p2 or later immediately.
• Review SSH configurations to disable unnecessary options and enhance security.
• Deploy intrusion detection systems (IDS) to monitor and block suspicious SSH activity.
• Restrict SSH access to trusted IP addresses via firewall rules.

References:

• OpenSSH Release Notes: https://www.openssh.com/releasenotes.html

5. Security Updates – Atlassian Products

Atlassian has disclosed 5 critical and 7 high-severity vulnerabilities across its products, including Bamboo, Bitbucket, Confluence, Crowd, and Jira. These vulnerabilities could lead to remote code execution (RCE), broken authentication, and session management flaws.

Critical Vulnerabilities:

1. Confluence Data Center and Server
   • CVE-2024-50379, CVE-2024-56337 (CVSS 9.8 – Critical RCE)
   • Exploits Tomcat-Catalina dependency in Confluence, allowing remote code execution.
2. Crowd Data Center and Server
   • CVE-2024-52316 (CVSS 9.8 – Critical BASM)
   • Broken authentication & session management due to Tomcat-Catalina dependency.
   • CVE-2024-50379, CVE-2024-56337 (CVSS 9.8 – Critical RCE)

High-Severity Vulnerabilities:

• CVE-2024-7254 (CVSS 8.7)
• CVE-2024-47072 (CVSS 7.5)
• CVE-2024-47561 (CVSS 7.3)
• CVE-2022-25927 (CVSS 7.5)

Fixed Versions:

• Bamboo Data Center and Server: 10.2.1 (LTS) / 9.6.10 (LTS) / 9.2.22 (LTS)
• Bitbucket Data Center and Server: 9.5.1 / 9.4.3 (LTS) / 8.19.15 (LTS) / 8.9.25 (LTS)
• Confluence Data Center and Server: 9.3.1 / 9.2.1 (LTS) / 8.5.19 (LTS)
• Crowd Data Center and Server: 6.2.2 / 6.1.4 / 6.0.7
• Jira Data Center and Server: 10.1.2 / 9.17.5 / 9.12.18 (LTS) / 9.4.30 (LTS)

Mitigation & Recommendations:

• Upgrade affected products to the latest patched versions immediately.
• Apply security patches and review system configurations for potential exploitation.
• Monitor network activity for unusual behavior related to these vulnerabilities.

References:

• Atlassian Security Bulletin: https://confluence.atlassian.com/security/security-bulletin-february-18-2025-1510670627.html

6. Security Updates – Drupal Core

Drupal has released security updates addressing multiple vulnerabilities, including cross-site scripting (XSS), access bypass, and PHP object injection, which could lead to remote code execution (RCE) under certain conditions.

Vulnerability Details:

1. SA-CORE-2025-001: Critical Cross-Site Scripting (XSS) Vulnerability
   • A reflected XSS vulnerability due to insufficient filtering of error messages under specific conditions.
   • Impact: Attackers could exploit this to inject malicious scripts into the website, potentially stealing session cookies or executing arbitrary actions.
2. SA-CORE-2025-002: Moderately Critical Access Bypass
   • A flaw in the core Actions system allows unauthorized users to modify certain fields using bulk actions without proper permissions.
   • Impact: Attackers can modify settings such as sticky/unsticky content, front-page promotion, and publishing/unpublishing actions.
3. SA-CORE-2025-003: Moderately Critical Gadget Chain Vulnerability
   • A PHP Object Injection vulnerability that could lead to Arbitrary File Inclusion (AFI).
   • Impact: If combined with another exploit, attackers could escalate privileges and achieve Remote Code Execution (RCE).

Affected Versions:

• Drupal 8.0.0 to 10.3.12
• Drupal 10.4.0 to 10.4.2
• Drupal 11.0.0 to 11.0.11
• Drupal 11.1.0 to 11.1.2

Fixed Versions:

• Drupal 10.3.x: Update to 10.3.13
• Drupal 10.4.x: Update to 10.4.3
• Drupal 11.0.x: Update to 11.0.12
• Drupal 11.1.x: Update to 11.1.3

Note: Drupal 8, 9, and all versions of Drupal 10 before 10.3 are End-of-Life (EOL) and do not receive security updates.

Mitigation & Recommendations:

• Immediately update to the latest patched versions.
• Review access controls for bulk actions and field modifications.
• Monitor for unusual activity related to error message filtering or file inclusions.
• Restrict PHP object deserialization in configurations where possible.

References:

• Drupal Security Advisory:
  • SA-CORE-2025-001 (XSS): https://www.drupal.org/sa-core-2025-001
  • SA-CORE-2025-002 (Access Bypass): https://www.drupal.org/sa-core-2025-002
  • SA-CORE-2025-003 (Gadget Chain Exploit): https://www.drupal.org/sa-core-2025-003

7. Critical Vulnerabilities in mySCADA myPRO Manager

A series of critical vulnerabilities in mySCADA myPRO Manager expose industrial operations to severe security risks, enabling attackers to execute system commands, bypass authentication, steal credentials, and manipulate system settings. Two vulnerabilities have received CVSS scores of 9.8 and 10.0, making them extremely dangerous for industrial environments.

Vulnerability Details:

1. CVE-2025-25067 (CVSS 9.8 – Critical) OS Command Injection
   • Description: Allows remote attackers to execute arbitrary operating system commands.
   • Impact: Potential full system compromise, enabling manipulation of industrial processes, data theft, and malware deployment.
2. CVE-2025-24865 (CVSS 10.0 – Critical) Missing Authentication in Web Interface
   • Description: The administrative web interface lacks proper authentication, allowing unauthorized access.
   • Impact: Attackers can retrieve sensitive data, upload malicious files, and modify system configurations without needing credentials.
3. CVE-2025-22896 (CVSS 8.6 – High) Cleartext Storage of Sensitive Credentials
   • Description: Credentials are stored in plaintext within the system.
   • Impact: Attackers can easily steal credentials, escalate privileges, or move laterally within the network.
4. CVE-2025-23411 (CVSS 6.3 – Medium) Cross-Site Request Forgery (CSRF)
   • Description: The system is vulnerable to CSRF attacks, allowing attackers to trick users into performing unintended actions.
   • Impact: Could lead to unauthorized system changes or the theft of sensitive information.

Affected Versions:

• myPRO Manager versions prior to 1.4

Fixed Version:

• myPRO Manager v1.4

Mitigation & Recommendations:

• Upgrade to myPRO Manager v1.4 immediately.
• Restrict access to the administrative web interface.
• Implement strong authentication to prevent unauthorized access.
• Use secure storage mechanisms for sensitive credentials.
• Monitor for unauthorized access and implement network segmentation.

References:

• mySCADA Security Advisory:
  • mySCADA myPRO Manager Updates: https://www.myscada.org/downloads/mySCADAPROManager/

8. Security Updates – AMD

AMD has released security updates to address multiple vulnerabilities affecting its EPYC and Ryzen Embedded processors. These vulnerabilities could allow arbitrary code execution, memory corruption, privilege escalation, and potential data leaks.

Notable Vulnerabilities:

1. CVE-2023-31342, CVE-2023-31343, CVE-2023-31345 (CVSS 7.5 – High)
   • Issue: Improper input validation in the System Management Mode (SMM) handler.
   • Impact: Privileged attackers could overwrite SMRAM and execute arbitrary code.
2. CVE-2023-31352 (CVSS 6.0 – Medium)
   • Issue: Vulnerability in Secure Encrypted Virtualization (SEV) firmware.
   • Impact: Attackers could read unencrypted memory, leading to potential data exposure.
3. CVE-2023-20515 (CVSS 5.7 – Medium)
   • Issue: Improper access control in the firmware TPM (fTPM) driver.
   • Impact: Attackers could corrupt system memory, compromising data integrity.
4. CVE-2023-20582 (CVSS 5.3 – Medium)
   • Issue: Flaws in the IOMMU could bypass RMP checks in SEV-SNP.
   • Impact: Attackers could compromise guest memory security.
5. CVE-2023-31356 (CVSS 4.4 – Medium)
   • Issue: Incomplete system memory cleanup in SEV firmware.
   • Impact: Could lead to guest memory corruption, affecting data integrity.

Affected Products:

These vulnerabilities impact the following AMD processors:

• EPYC Embedded Series: 3000, 7002, 7003, 9004
• Ryzen Embedded Series: R1000, R2000, 5000, 7000, V1000, V2000, V3000

Firmware Updates:

AMD has released key firmware updates to mitigate these vulnerabilities:

• EPYC Embedded 7003: EmbMilanPI-SP3 1.0.0.8 (2024-01-15)
• EPYC Embedded 9004: EmbGenoaPI-SP5 1.0.0.7 (2024-07-15)
• Ryzen Embedded R1000: EmbeddedPI-FP5 1.2.0.C (2024-06-14)
• Ryzen Embedded 7000: EmbeddedAM5PI 1.0.0.1 (2024-07-31)

Mitigation & Recommendations:

1. Apply Firmware Updates Immediately: Patch affected systems using AMD’s provided PI firmware versions.
2. OEMs Should Deploy BIOS and Firmware Patches: Ensure all patches are properly implemented.
3. Enforce Access Controls: Restrict firmware modification privileges.
4. Monitor Systems: Audit logs for unusual activity indicating exploitation attempts.
5. Secure System Configurations: Disable unnecessary services and apply least-privilege principles.

References:

• AMD Security Bulletin:
  • AMD SB-5004: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5004.html

9. Critical Vulnerability in Brizy Plugin

A critical security vulnerability has been discovered in the Brizy – Page Builder plugin for WordPress, which could allow attackers to execute malicious code and completely compromise affected websites.

Vulnerability Details:

• CVE-2024-10960
• CVSS Score: 9.9 (Critical)
• Issue: A flaw exists in the storeUploads function of the plugin, which fails to properly validate file types, allowing authenticated users with Contributor-level access or higher to upload arbitrary files to the server.
• Impact:
  • Remote Code Execution (RCE): Attackers can execute arbitrary code on the web server.
  • Website Takeover: Complete control over the compromised WordPress site.
  • Data Theft: Unauthorized access to sensitive user information and database contents.
  • Malware Distribution: Attackers can inject malicious scripts into websites to infect visitors and spread malware.

Affected Versions:

• Brizy – Page Builder Plugin versions up to and including 2.6.4 are vulnerable.

Fixed Versions:

• Brizy – Page Builder Plugin version 2.6.5 or later.

Mitigation & Recommendations:

1. Update Immediately: Upgrade to Brizy Plugin 2.6.5 or later to patch the vulnerability.
2. Restrict User Roles: Limit Contributor-level access to trusted users only.
3. Enable Web Application Firewalls (WAFs): Protect WordPress sites against file upload attacks.
4. Monitor for Suspicious Activity: Check for unauthorized file uploads and unusual administrative actions.
5. Backup Your Website: Regularly maintain secure backups in case of compromise.

References:

• CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-10960

10. Critical Vulnerability in Juniper Networks Devices

A critical vulnerability in Juniper Networks Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Routers allows attackers to bypass authentication and gain administrative control over affected devices.

Vulnerability Details:

• CVE-2025-21589
• CVSS Score: 9.8 (Critical)
• Impact:
  • Authentication Bypass: Attackers can gain full administrative access.
  • Potential Device Takeover: Compromised routers could be used for further network exploitation.

Affected Versions:

• Session Smart Router & Conductor:
  • Versions 5.6.7 before 5.6.17, 6.0.8, 6.1 before 6.1.12-lts, 6.2 before 6.2.8-lts, 6.3 before 6.3.3-r2
• WAN Assurance Managed Routers:
  • Same affected versions as above.

Fixed Versions:

• Upgrade to:
  • SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, or later.
• Mist Cloud Devices: Ensure devices are connected for automatic patching.

Mitigation & Recommendations:

1. Apply Firmware Updates Immediately to patched versions.
2. Restrict Network Access: Limit exposure of management interfaces.
3. Monitor Logs & Unusual Activity to detect signs of exploitation.
4. Upgrade Conductor Nodes: This will automatically apply patches to connected routers.

References:

• Juniper Security Bulletin: https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-BulletinSession-Smart-Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589?language=en_US 

11. Multiple Vulnerabilities in HP LaserJet Printers

Several critical vulnerabilities in HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers could allow Remote Code Execution (RCE) and Privilege Escalation, potentially compromising sensitive information.

Vulnerability Details:

• CVE-2025-26506 – CVSS 9.2 (Critical) – Remote Code Execution (RCE)
• CVE-2025-26508 – CVSS 8.3 (High) – Privilege Escalation (EoP)
• CVE-2025-26507 – CVSS 6.3 (Medium) – Security bypass vulnerability

Impact:

• Unauthorized Remote Code Execution on the affected printers.
• Potential Network Compromise by exploiting vulnerabilities in print job processing.
• Elevation of Privileges, allowing attackers to manipulate device settings and access restricted data.

Affected Devices:

• HP LaserJet Pro Series
• HP LaserJet Enterprise Series
• HP LaserJet Managed Printers

Fixed Versions:

• Firmware patches available via HP Security Bulletins.

Mitigation & Recommendations:

1. Update Firmware: Apply the latest firmware updates released by HP.
2. Restrict Network Access: Limit printer access to trusted networks only.
3. Disable Unused Services: Turn off unnecessary print protocols and remote management features.
4. Monitor Printer Logs: Regularly check for abnormal network activity.

References:

• HP Security Bulletin: https://support.hp.com/us-en/document/ish_11953771-11953793-16/hpsbpi04007

12. High-Severity Vulnerability in AMD Ryzen Master Utility

A DLL hijacking vulnerability in AMD Ryzen Master Utility could allow privilege escalation and arbitrary code execution, leading to a full system compromise.

Vulnerability Details:

• CVE-2024-21966 – CVSS 7.3 (High)
• The application loads external DLLs without proper validation, allowing an attacker to inject a malicious DLL and escalate privileges.
• Successful exploitation could give an attacker full control over the system.

Affected Versions:

• All versions prior to 2.14.0.3205

Fixed Version:

• AMD Ryzen Master Utility 2.14.0.3205 or later

Mitigation & Recommendations:

1. Update Immediately: Install AMD Ryzen Master Utility version 2.14.0.3205 or later.
2. Restrict Privileges: Avoid running applications with unnecessary administrative privileges.
3. Monitor System Activity: Look for unexpected DLL loading behavior and block suspicious execution.

References:

• AMD Security Bulletin: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-9010.html

13. Phishing Campaign Targets Microsoft Device-Code Authentication

Threat Actor: Russia-backed Storm-2372
Targeted Sectors: Government, IT, defense, telecom, healthcare, education, energy
Regions Impacted: North America, Europe, Africa, Middle East

Attack Method:

• Uses device-code phishing to trick users into entering authentication codes on legitimate Microsoft sign-in portals.
• Attackers steal access and refresh tokens to infiltrate Microsoft 365 accounts, bypassing passwords.
• Uses Microsoft Teams, Signal, and WhatsApp lures.

Recent Escalation:

• Now exploits Microsoft Authentication Broker’s client ID to gain persistent access via Entra ID.
• Steals emails and registers attacker-controlled devices inside corporate networks.

Mitigation:

1. Disable Device-Code Authentication via Conditional Access Policies.
2. Enforce Phishing-Resistant MFA (FIDO2 keys, certificate-based authentication).
3. Monitor Microsoft Entra ID Logs for unauthorized device registrations.
4. Educate Users on phishing tactics.

Reference:
https://www.cybersecuritydive.com/news/phishing-campaign-targets-microsoft-device-code-authentication-flows/740201/

14. Cybercriminals Exploit Onerror Event in Image Tags for Payment Skimmers

Targeted Platform: Magento, WooCommerce, PrestaShop, WordPress
Objective: Steal credit card details from e-commerce checkout pages

Attack Method:

• MageCart attackers inject malware within <img> tags, disguising malicious JavaScript code.
• Uses Base64-encoded content inside image attributes to stay undetected.
• Triggers JavaScript execution when an image fails to load via the onerror event.
• Inserts a fake checkout form for card number, expiration date, and CVV.
• Exfiltrates stolen data to wellfacing[.]com.

Why It’s Dangerous:

• Bypasses security scanners by hiding inside standard <img> elements.
• No visual changes on checkout pages, making detection difficult.
• Stays persistent by leveraging WordPress must-use (mu-plugins) for backdoors and automatic execution.

Mitigation Steps:

1. Regularly Audit Website Code for hidden <img> tags and unexpected Base64 encoding.
2. Monitor JavaScript Execution with Content Security Policy (CSP) to prevent unauthorized scripts.
3. Secure WordPress & Magento by restricting access to mu-plugins and disabling unnecessary permissions.
4. Use Web Application Firewalls (WAF) to detect and block MageCart-style attacks.
5. Implement Real-Time Monitoring to detect unauthorized form injections.

Reference:
https://thehackernews.com/2025/02/cybercriminals-exploit-onerror-event.html 

15. New FrigidStealer Infostealer Targeting macOS Users

Target: macOS users
Threat Actor: TA2726 and TA2727
Delivery Method: Fake browser update campaigns

Attack Method:

• Malicious JavaScript injected into legitimate websites.
• Fake browser update prompts for Safari/Chrome trick users into downloading FrigidStealer.
• Malware is delivered as a DMG file, requiring users to bypass macOS Gatekeeper manually.

Malware Capabilities:

• Steals browser credentials (cookies, login data) from Safari and Chrome.
• Extracts cryptocurrency wallet credentials from Desktop/Documents folders.
• Harvests sensitive notes from Apple Notes.
• Exfiltrates data to ‘askforupdate[.]org’.

Indicators of Compromise (IOC):

• Fake browser update alerts redirecting to malicious download links.
• Presence of suspicious DMG files related to system updates.

Mitigation Steps:

1. Only update browsers from official sources (App Store, vendor websites).
2. Avoid executing updates from pop-up notifications on unknown sites.
3. Enable Gatekeeper and System Integrity Protection (SIP) to block unverified apps.
4. Use a strong antivirus solution that scans for macOS-specific threats.
5. Enable Two-Factor Authentication (2FA) on critical accounts.

Reference:
https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware 

16. Ghost (Cring) Ransomware Threat

Overview:

Ghost ransomware operators have been conducting widespread ransomware attacks since early 2021, targeting over 70 countries. Affected sectors include critical infrastructure, healthcare, education, government, and SMBs. Attackers exploit known vulnerabilities in outdated software and firmware to gain initial access, deploy ransomware, and demand cryptocurrency payments.

Attack Chain & Techniques:

• Initial Access: Exploiting public-facing applications using vulnerabilities such as CVE-2018-13379, CVE-2021-34473, and CVE-2021-34523.
• Execution: Deployment of ransomware payloads including Cring.exe, Ghost.exe, Elysium0.exe, and Locker.exe using PowerShell and Command Shell commands.
• Persistence: Attackers create new accounts and install web shells or backdoors to maintain access.
• Privilege Escalation: Utilizing tools such as SharpZeroLogon, BadPotato, and GodPotato to escalate privileges.
• Credential Access: Dumping credentials using Mimikatz and Cobalt Strike hashdump.
• Defense Evasion: Disabling Windows Defender and antivirus to avoid detection.
• Discovery: Performing network and remote system reconnaissance using tools like SharpShares, Ladon 911, and SharpNBTScan.
• Lateral Movement: Using WMIC and PowerShell commands to spread across the network.
• Exfiltration: Transferring stolen data to Mega.nz and other cloud services before encryption.
• Command & Control: Using HTTP(S) encrypted traffic for C2 communication.
• Impact: Encrypting files, deleting shadow copies, and rendering systems unusable until ransom is paid.

Indicators of Compromise (IOCs):

A full list of IP addresses, file hashes, and domains associated with Ghost ransomware is available in the attached file.

Mitigation Steps:

1. Apply Security Patches – Prioritize fixing vulnerabilities in public-facing applications.
2. Implement Strong Backups – Maintain offline backups and test their integrity regularly.
3. Segment Networks – Restrict lateral movement within corporate and industrial networks.
4. Enforce Multi-Factor Authentication (MFA) – Use FIDO2 hardware tokens for phishing-resistant authentication.
5. Limit PowerShell Usage – Monitor and block unauthorized PowerShell activity.
6. Strengthen Email Security – Implement DMARC, DKIM, and SPF to mitigate phishing attacks.
7. Block Unused Ports & Services – Disable RDP (3389), FTP (21), SMB (445) unless necessary.
8. Train Employees on Phishing Awareness – Educate staff on recognizing and reporting phishing attempts.
9. Implement Application Allowlisting – Restrict the execution of unauthorized applications.
10. Monitor for Unusual Network Traffic – Use SIEM and IDS solutions to detect suspicious activities.

Reference:

https://www.cisa.gov/sites/default/files/2025-02/aa25-050a-stopransomware-ghost-cring-ransomware.pdf