Weekly Threat Landscape Digest – Week 31

1. Microsoft SharePoint Server – Critical Zero-Day Exploitation – Update 2

Microsoft SharePoint Server continues to be actively targeted by multiple threat actors exploiting a critical zero-day vulnerability (CVE-2025-53770) and related flaws. The attacks involve the deployment of GhostWebShell, a stealthy ASP.NET-based web shell with Base64-encoded payloads, enabling remote command execution via exposed parameters. In observed campaigns, attackers also use KeySiphon for credential harvesting and reconnaissance, followed by Warlock ransomware distribution through compromised Group Policy Objects (GPOs), signifying escalation to domain-level privileges.

Key Vulnerabilities

• CVE-2025-49706 – Spoofing Vulnerability
• CVE-2025-49704 – Remote Code Execution Vulnerability
• CVE-2025-53770 – Authentication Bypass → RCE (related to CVE-2025-49704)
• CVE-2025-53771 – Path Traversal (related to CVE-2025-49706)
• CVSS Score: Up to 9.8 (Critical)

Impact

• Remote code execution with full admin privileges
• Unauthorized access to sensitive credentials
• Lateral movement and domain compromise
• Potential ransomware deployment

Affected Products & Patches

• SharePoint Server Subscription Edition: Patch available (KB5002768)
• SharePoint Server 2019: Patch available (KB5002754, Build 16.0.10417.20027)
• SharePoint Server 2016: Patch pending – configuration-level mitigations required

Recommended Actions

1. Apply the latest Microsoft security patches immediately.
2. Audit servers for unauthorized web shells or abnormal ASP.NET activity.
3. Monitor and validate GPO changes against approved configurations.
4. Implement endpoint detection for credential dumping and suspicious command-line activity.
5. Block external access to SharePoint servers at the firewall until fully patched.
6. Enable AMSI integration and ensure Microsoft Defender AV is running with real-time protection.
7. Isolate compromised systems and preserve forensic artifacts.
8. Rotate all credentials, prioritizing service accounts.

References

• https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepointvulnerability-cve-2025-53770/
• https://nvd.nist.gov/vuln/detail/CVE-2025-53770
• https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-activeexploitation-of-on-premises-sharepoint-vulnerabilities/
• https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign
• https://github.com/soltanali0/CVE-2025-53770-Exploit
• https://assets.adgm.com/download/assets/20250729-Critical_Zero-Day_Exploitation_of_SharePoint_Server-Update+2+-+Alert+574.pdf/64d0f2646d0a11f0849ece198e1d2a58 

2. Apple Security Updates – Multiple Critical Vulnerabilities Patched

Apple has issued security updates across its product ecosystem—including Safari, iOS, iPadOS, macOS, watchOS, tvOS, and visionOS—to address several critical vulnerabilities. These flaws range from privilege escalation and memory corruption to remote code execution and denial-of-service (DoS) risks. Key highlights include:

• CVE-2025-6558:
  • Component: ANGLE & GPU (Chrome-related)
  • Impact: Remote code execution via crafted HTML, potential WebKit crash in Safari
  • Status: Exploited in the wild (no confirmed impact on Safari users)
• CVE-2025-43223:
  • Component: CFNetwork (macOS, iOS)
  • Impact: Privilege escalation by modifying restricted network settings
  • Severity: High

Apple urges users and enterprises to install the latest versions promptly to ensure protection from active threats. These updates are applicable to iPhone XS and later, modern iPads, MacBooks running macOS Ventura/Sonoma/Sequoia, Apple Watches (Series 6+), Apple TV, and Vision Pro.

Reference: https://support.apple.com/en-ae/100100

3. BeyondTrust Privilege Management for Windows – High-Severity Privilege Escalation Vulnerabilities

Multiple high-severity vulnerabilities have been discovered in BeyondTrust Privilege Management for Windows, which could allow attackers to gain elevated privileges and bypass critical endpoint protection features. These flaws pose a serious risk to enterprise systems, especially in environments with minimal user restrictions.

CVE-2025-2297 – Local Elevation via User Profile Manipulation

• CVSS Score: 7.2 (High)
• Impact: Allows a local authenticated attacker to manipulate user profile files and inject unauthorized challenge-response entries into the Windows registry. If the system is configured to auto-approve such challenges, privilege escalation to administrator level is possible.

CVE-2025-6250 – Anti-Tamper Bypass via WMIC Exploit

• CVSS Score: 7.1 (High)
• Impact: Attackers with elevated privileges can use wmic.exe to stop the Defendpoint service, effectively bypassing anti-tamper protections. This can lead to unauthorized administrative access and execution of privileged processes.

Affected Versions: All versions prior to 25.4.270.0
Fixed Version: 25.4.270.0 and later

It is strongly recommended to apply the latest security updates provided by BeyondTrust to mitigate the risk of exploitation.

References:
https://www.beyondtrust.com/trust-center/security-advisories/bt25-05
https://www.beyondtrust.com/trust-center/security-advisories/bt25-06

4. Actively Exploited Remote Code Execution Vulnerability in Alone WordPress Theme

A critical remote code execution (RCE) vulnerability has been identified in the “Alone – Charity Multipurpose Non-profit” WordPress theme, tracked as CVE-2025-5394, and is currently under active exploitation. The vulnerability stems from the alone_import_pack_install_plugin() function, which lacks necessary capability and nonce checks, making it accessible to unauthenticated users via the exposed nopriv AJAX hook.

Exploitation of this flaw allows attackers to upload arbitrary PHP files, install unauthorized plugins from remote sources, and gain full control over the targeted website.

Vulnerability Summary:

• CVE ID: CVE-2025-5394
• CVSS Score: 9.8 (Critical)
• Type: Remote Code Execution via Arbitrary File Upload
• Affected Function: alone_import_pack_install_plugin()
• Exploitation Vector: Unauthenticated AJAX access
• Affected Versions: Versions below 7.8.5
• Patched Version: 7.8.5
• Current Status: Exploited in the wild

Impact:

• Complete site takeover
• Persistent backdoors and malware installation
• Unauthorized plugin deployments
• Potential data theft, SEO poisoning, and defacement

Recommended Actions:

• Update the theme to version 7.8.5 or later immediately
• Perform a full file integrity scan of the WordPress site
• Review plugin and theme installations for anomalies
• Deploy a web application firewall (WAF) to block exploit attempts
• Monitor server logs for suspicious file uploads and AJAX requests

Reference:

• https://www.wordfence.com/blog/2025/07/attackers-actively-exploiting-criticalvulnerability-in-alone-theme/

5. Security Updates – Google Chrome (CVE-2025-8292)

Google has released security updates for the Chrome browser addressing multiple vulnerabilities, most notably a high-severity use-after-free vulnerability in the Media Stream component. Tracked as CVE-2025-8292, this flaw could allow attackers to execute arbitrary code or crash the browser through memory mismanagement. Users on Windows, macOS, Linux, iOS, and Android are urged to update their browsers immediately to mitigate potential risks.

Vulnerability Summary:

• CVE ID: CVE-2025-8292
• Severity: High
• Type: Use-After-Free
• Component: Media Stream
• Impact: Arbitrary code execution or browser crash
• Status: Patched

Affected Versions:

• Desktop Stable Channel:
  • Chrome 138.0.7204.183/.184 for Windows and macOS
  • Chrome 138.0.7204.183 for Linux
• Early Stable Channel:
  • Chrome 139.0.7258.66 for Windows and macOS
• Mobile Platforms:
  • Chrome 139.0.7258.62 for Android
  • Chrome 139.0.7258.60 for iOS

Recommended Actions:

• Update Google Chrome to the latest stable version on all platforms
• Restart the browser after updating to complete the patch process
• Monitor browser activity for anomalies suggesting exploitation
• Enforce update policies in enterprise environments

References:

• https://chromereleases.googleblog.com/2025/07/stable-channel-update-fordesktop_29.html
• https://chromereleases.googleblog.com/

6. High-Severity Vulnerability in SolarWinds Observability Self-Hosted (CVE-2025-26397)

A high-severity vulnerability has been identified in SolarWinds Observability Self-Hosted (SWOSH), which could allow local authenticated attackers to escalate privileges on the host system. Tracked as CVE-2025-26397, this flaw is due to improper deserialization of untrusted data, enabling malicious files to execute within protected directories. Exploitation requires local access and valid credentials, but if successful, could compromise system confidentiality, integrity, and availability.

Vulnerability Summary:

• CVE ID: CVE-2025-26397
• CVSS Score: 7.8 (High)
• Type: Deserialization of Untrusted Data
• Impact: Privilege Escalation
• Access Vector: Local, authenticated

Affected Versions:

• SWOSH: 2025.2 and earlier

Fixed Version:

• SWOSH: 2025.2.1

Recommended Actions:

• Apply the latest updates provided by SolarWinds immediately
• Restrict access to vulnerable systems until patches are deployed
• Monitor local user activity for unusual privilege changes
• Conduct a security audit post-patching to verify system integrity

References:

• https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26397

7. Critical Command Injection Vulnerability in GitHub Action Workflow (CVE-2025-54416)

A critical command injection vulnerability has been identified in the tj-actions/branch-names GitHub Action, which is widely used in CI/CD workflows. The vulnerability stems from unsafe use of the eval function, allowing attackers to execute arbitrary shell commands by crafting malicious branch or tag names. If exploited, this could lead to unauthorized access, code tampering, or exfiltration of sensitive data within automated pipelines.

Vulnerability Summary:

• CVE ID: CVE-2025-54416
• CVSS Score: 9.1 (Critical)
• Component: tj-actions/branch-names GitHub Action
• Type: Command Injection via CI/CD workflows
• Impact: Remote code execution, CI pipeline compromise

Affected Versions:

• All versions prior to v9.0.0

Fixed Version:

• v9.0.0 and later

Recommended Actions:

• Immediately update to version 9.0.0 or later
• Audit CI workflows for the use of vulnerable actions
• Review branch/tag naming conventions and implement input sanitization
• Monitor CI logs and deployments for anomalies

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-54416

8. Actively Exploited Remote Code Execution Vulnerability in PaperCut (CVE-2023-39469)

A critical remote code execution vulnerability has been identified and is being actively exploited in PaperCut NG/MF print management software. The issue originates from a Cross-Site Request Forgery (CSRF) flaw that allows attackers to manipulate system configurations without proper authorization. Under certain conditions, this can escalate to remote code execution (RCE), potentially enabling threat actors to gain full control of the affected system.

Vulnerability Summary:

• CVE ID: CVE-2023-39469
• CVSS Score: 7.2 (High)
• Severity: High
• Type: Remote Code Execution via insecure scripting
• CWE: CWE-94 – Improper Control of Generation of Code
• Exploit Status: Actively Exploited in the Wild

Affected Versions:

• PaperCut NG/MF: Versions prior to 22.1.1

Fixed Version:

• 22.1.1 and later

Recommended Actions:

• Upgrade to PaperCut NG/MF version 22.1.1 or above
• Review server access logs and scripting configurations
• Disable any unnecessary or unused scripting features
• Monitor for indicators of unauthorized changes or access

References:

• https://www.papercut.com/kb/Main/SecurityBulletinJune2023

9. High-Severity Denial-of-Service Vulnerability in Python (CVE-2025-8194)

A high-severity vulnerability has been discovered in Python’s standard tarfile module that could be exploited to cause denial-of-service (DoS) conditions on affected systems. Tracked as CVE-2025-8194, this flaw arises from improper handling of .tar archive files containing entries with negative offsets. When such files are processed, the module may enter an infinite loop, leading to resource exhaustion and application or system hangs.

Vulnerability Summary:

• CVE ID: CVE-2025-8194
• CVSS Score: 7.5 (High)
• Severity: High
• Type: Denial of Service (DoS) via infinite loop
• Component: tarfile module in Python
• Impact: Application hangs, unresponsiveness, system DoS

Affected Versions:

• All Python versions prior to 3.14.0

Fixed Version:

• Python 3.14.0 and above

Recommended Actions:

• Upgrade Python to version 3.14.0 or later
• Avoid processing untrusted .tar archives
• Implement input validation before using tarfile extraction logic
• Monitor systems for unusual resource consumption or processing delays

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-8194

10. Critical Authentication Bypass Vulnerability in Node-SAML (CVE-2025-54369)

A critical authentication bypass vulnerability has been discovered in Node-SAML, a widely used library enabling SAML 2.0 authentication in Node.js applications. Tracked as CVE-2025-54369 and carrying a CVSS score of 9.3, the flaw arises from a logic flaw in how SAML assertions are parsed post-signature verification. Despite verifying XML signatures correctly, Node-SAML retrieves and processes assertion data from the original, unsigned response, allowing attackers to inject modified authentication attributes—such as usernames—after signature validation.

Vulnerability Summary:

• CVE ID: CVE-2025-54369
• CVSS Score: 9.3 (Critical)
• Severity: Critical
• Type: Authentication Bypass via SAML Assertion Manipulation
• Impact: Privilege escalation, account impersonation, SSO bypass

Exploitation Impact:

• Privilege Escalation: Impersonation of admin or elevated accounts
• Account Confusion: User misrouting or incorrect access policy enforcement
• SSO Bypass: Circumvent identity verification by IdPs

Affected Versions:

• All Node-SAML versions prior to 5.1.0

Fixed Version:

• Node-SAML 5.1.0 and later

Recommended Actions:

• Upgrade Node-SAML to version 5.1.0 or higher
• Review and monitor authentication workflows for anomalous assertion handling
• Apply additional assertion validation checks post-signature verification
• Isolate and patch services dependent on Node-SAML urgently

References:

• https://github.com/node-saml/node-saml/security/advisories/GHSA-m837-g268-mmv7

11. High-Severity Vulnerabilities in Tableau Server (Multiple CVEs)

Multiple high-severity vulnerabilities have been identified in Tableau Server, a popular data visualization and BI platform. These flaws, disclosed by Salesforce, include SQL injection, remote code execution, path traversal, and server-side request forgery (SSRF) risks that collectively threaten data confidentiality, system integrity, and internal network exposure. Successful exploitation could allow attackers to execute arbitrary SQL commands, upload and execute malicious files, read sensitive system files, and initiate unauthorized internal or external network requests.

Vulnerability Summary:

• CVE IDs: CVE-2025-52446 to CVE-2025-52455
• CVSS Severity: High to Critical
• Types:
  • Arbitrary SQL execution (CVE-2025-52446/47/48)
  • Remote Code Execution via file upload (CVE-2025-52449)
  • Absolute path traversal (CVE-2025-52452)
  • SSRF (CVE-2025-52453/54/55)

Exploitation Impact:

• Unauthorized production database access
• Full system compromise through RCE
• Exposure of sensitive credentials/config files
• SSRF-based lateral movement or metadata access

Affected Versions:

• Tableau Server before 2025.1.3
• Tableau Server before 2024.2.12
• Tableau Server before 2023.3.19

Recommended Actions:

• Apply security patches immediately for all impacted versions
• Monitor logs for signs of SQL injection or SSRF attempts
• Restrict file upload capabilities and validate file types
• Implement firewall rules to prevent internal SSRF abuse

References:

• https://help.salesforce.com/s/articleView?id=005105043&type=1

12. Multiple Critical Vulnerabilities in Tridium Niagara Framework (CVE-2025-3936 to CVE-2025-3945)

Niagara Framework, a widely used platform for building automation, industrial control systems, and smart infrastructure. These vulnerabilities, if exploited, could result in full system compromise, including remote code execution, credential theft, and persistent backdoor creation.

The flaws affect several components within the framework and can be exploited by attackers with network access—especially in cases where encryption is disabled or misconfigured.

Key Vulnerabilities and Risk:

The most severe issues include incorrect permission assignments, weak cryptographic handling, improper input neutralization, and insecure logging practices. A notable attack chain involves the use of an unencrypted Syslog service to steal anti-CSRF tokens and session cookies, which can then be used to hijack admin sessions and create unauthorized users. This is followed by downloading TLS private keys and triggering root-level remote code execution.

Impact of Successful Exploitation:

• Full compromise of the Niagara system
• Creation of unauthorized admin accounts with persistent access
• Remote code execution with elevated privileges
• Access to and manipulation of critical infrastructure controls
• Potential disruption of both IT and OT environments

Affected Versions:

• Tridium Niagara Framework versions prior to:
  • 4.14.2u2
  • 4.15u1
  • 4.10u11

Recommended Actions:

• Immediately apply the latest available patches provided by Tridium
• Ensure encryption is enabled across all network communications
• Harden logging configurations and limit sensitive data exposure
• Enforce least-privilege access policies for users and services
• Segment IT and OT networks and restrict external access to Niagara systems
• Continuously monitor logs and dashboards for suspicious behavior

References:

• https://www.nozominetworks.com/blog/critical-vulnerabilities-found-in-tridium-niagara-framework
• https://www.honeywell.com/us/en/product-security#security-notices

13. Security Updates – NVIDIA GPU Display Driver Vulnerabilities

that NVIDIA has released security updates addressing multiple high-severity vulnerabilities in its GPU Display Driver for both Windows and Linux platforms. These vulnerabilities could allow attackers to execute arbitrary code, escalate privileges, tamper with data, or cause denial-of-service (DoS) conditions, impacting the confidentiality, integrity, and availability of affected systems.

Key Vulnerabilities:

• CVE-2025-23276: A vulnerability in the NVIDIA Installer for Windows may allow an attacker to escalate privileges. This issue can lead to code execution, DoS, privilege escalation, information disclosure, and data tampering. CVSS Score: 7.8 (High)
• CVE-2025-23277: The Display Driver for Windows and Linux contains a kernel mode driver vulnerability. An attacker could access memory outside permitted bounds, potentially resulting in information disclosure, DoS, and data tampering. CVSS Score: 7.3 (High)
• CVE-2025-23278: The driver contains a flaw in index validation when receiving crafted parameters, which could lead to improper handling, resulting in DoS and data tampering. CVSS Score: 7.1 (High)

Impact of Exploitation:

• Execution of arbitrary code with elevated permissions
• Unauthorized access to sensitive data
• System instability or crashes (DoS)
• Tampering with system or user data

Recommended Actions:

• Immediately update affected drivers to the latest fixed versions
• Refer to NVIDIA’s official July 2025 security bulletin for patch details
• Monitor systems running vulnerable driver versions for suspicious activity

References:

• https://nvidia.custhelp.com/app/answers/detail/a_id/5670

14. Privilege Escalation Vulnerability in Post SMTP WordPress Plugin

A high-severity vulnerability has been identified in the Post SMTP WordPress Plugin that could allow attackers to escalate privileges and take full control of affected WordPress websites. The vulnerability (CVE-2025-24000), rated with a CVSS score of 8.8, stems from broken access control in the plugin’s REST API, particularly in the get_logs_permission function. This function improperly validates user privileges—only checking if a user is logged in, rather than verifying their access level. As a result, even users with minimal privileges (e.g., Subscribers) can exploit the flaw to:

• View complete email logs, including sensitive message contents
• Resend emails without authorization
• View email statistics
• Intercept password reset emails and compromise admin accounts

Impact: Successful exploitation enables full site takeover via privilege escalation.
Affected Versions: 3.2.0 and below
Fixed Version: 3.3.0

Recommended Action: Immediately update the Post SMTP Plugin to version 3.3.0 or higher. Site administrators should also review user roles and email logs for any suspicious activity.

Reference:

• https://patchstack.com/articles/account-takeover-vulnerability-affecting-over-400k-installations-patched-in-post-smtp-plugin/

15. Security Updates – HPE Telco Service Orchestrator
    Hewlett Packard Enterprise (HPE) has released a security update addressing a high-severity vulnerability in the Telco Service Orchestrator platform. The vulnerability allows attackers to remotely trigger a Denial of Service (DoS) condition, thereby disrupting system availability.

The vulnerability stems from improperly handled IP protocol errors, which can be exploited remotely to exhaust system resources, leading to client starvation and service outage.

Vulnerability Details:

• CVE ID: CVE-2025-48367
• CVSS v3 Score: 7.5 (High)
• Impact: Remote Denial of Service (DoS)
• Affected Product: HPE Telco Service Orchestrator versions prior to 5.0.2
• Fixed Version: 5.0.2 and above

Recommendations:

• Upgrade to HPE Telco Service Orchestrator version 5.0.2 or later immediately.
• Monitor affected systems for signs of anomalous traffic or service disruption.
• Restrict unnecessary exposure of the orchestrator platform to untrusted networks.

Reference:

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04901en_us&docLocale=en_US 

16. Internal Phishing via Microsoft 365 Direct Send Abuse
    Threat actors are abusing the Direct Send functionality of Microsoft 365 to deliver phishing emails that bypass sender verification controls. These emails land in users’ junk folders, but still deliver malicious payloads, exploiting users’ trust in internal communications. The campaign also demonstrates how adversaries weaponize legitimate cloud services to evade security mechanisms.

Key Findings:

• Technique Used: Abuse of Direct Send, which allows unauthenticated emails to be sent to internal Microsoft 365 users.
• Delivery Method: Spoofed internal emails relayed through unsecured third-party email security appliances.
• Sender Infrastructure: Hosted on Windows Server 2022 VPS using RDP and SMTP, with self-signed or expired certificates.
• Payload Delivery: Emails frequently included business-themed lures, such as task reminders, payment approvals, and voicemail alerts.

Threat Impact:

• Bypasses Microsoft 365 authentication (compauth=fail) yet still delivers messages to user inboxes/junk.
• High trust phishing due to internal sender appearance.
• Potential credential theft, malware execution, or social engineering success.

Observed Lures:

• “Your-to-do-List/MM/DD/YYYY”
• “Wire-eAuthorization approval MM/DD/YYYY”
• “Payment ACH-Wire Authorization”
• “Daily Reminder: Today’s Tasks – MM/DD/YYYY”
• “Reminder – To Do – MM/DD/YYYY”
• “WIRELESSCALLER(XXX)YYY-ZZZZ-MM/DD/YYYY”

Indicators of Compromise (IOCs):

CN (Self-Signed Certificates):

• CN=WIN-BUNS25TD77J

Attacker-controlled IPs (Windows Server 2022 SMTP relays):

• 163.5.112[.]86
• 163.5.160[.]28
• 163.5.160[.]119
• 163.5.160[.]143
• 163.5.169[.]53

Recommendations for Microsoft 365 Customers:

• Disable Direct Send if not required:

                             Set-OrganizationConfig -RejectDirectSend $true

• Audit accepted unauthenticated relay IPs and review compauth=fail headers.
• Enforce SPF, DKIM, and DMARC with strict rejection policies.
• Implement advanced email protection solutions (e.g., Proofpoint Core Email Protection).
• Use services like Proofpoint Secure Email Relay to control application-generated email delivery.

Reference:

• https://www.proofpoint.com/uk/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing

17. Fire Ant Espionage Campaign Targeting VMware Infrastructure

Sygnia has disclosed a sophisticated cyber-espionage campaign, dubbed Fire Ant, actively targeting VMware virtualization infrastructure since early 2025. The campaign is linked to the Chinese-affiliated threat group UNC3886, known for prior intrusions in similar environments. Fire Ant focuses on critical blind spots in traditional security controls—namely ESXi hosts, vCenter servers, and network appliances—to gain persistent, stealthy access.

Key Highlights:

• Attribution: Likely linked to UNC3886, active in Singapore, with Chinese-language artifacts observed.
• Targets: VMware ESXi, vCenter, F5 Load Balancers, and network appliances across segmented and sensitive environments.
• Persistence: Maintains long-term access even after remediation, by rotating tools, modifying binaries, and impersonating forensic tools.
• Technique: Exploits multiple VMware vulnerabilities, including:
  • CVE-2023-34048: Unauthenticated RCE on vCenter
  • CVE-2023-20867: Host-to-guest command execution via PowerCLI
• Capabilities:
  • Bypasses network segmentation
  • Bridges isolated environments using trusted services
  • Gains hypervisor-level control to access guest VMs
  • Extracts service account credentials (vpxuser)
  • Tampered with memory snapshots to harvest credentials (e.g., domain controllers)

Attack Flow Summary:

1. Initial Access: Exploits CVE-2023-34048 to compromise vCenter without credentials.
2. Privilege Escalation: Extracts service account credentials and accesses ESXi hosts.
3. Persistence Mechanism: Deploys multiple backdoors across both ESXi and vCenter systems.
4. Guest VM Access: Exploits CVE-2023-20867 to execute commands without in-guest credentials.
5. Credential Theft: Dumps memory, including sensitive credentials, and bypasses EDR visibility.
6. Lateral Movement: Leverages network infrastructure and trusted services to pivot across segments.

Threat Behavior:

• Treats remediation as temporary disruption, re-infects with new toolsets shortly after clean-up.
• Monitors forensic tools and renames payloads to blend in with investigation activity.
• Operates below detection thresholds, exploiting telemetry gaps in infrastructure systems.
• Consistently bridges segmented zones using compromised infrastructure components.

Recommendations:

• Patch Management: Ensure all ESXi and vCenter servers are updated with the latest security patches.
• Credential Hygiene: Rotate admin/root credentials every ≤180 days. Use a PIM solution or secure documented process.
• Access Hardening:
  • Limit ESXi access through vCenter only.
  • Apply strict firewall rules allowing access only from jump servers or admin subnets.
  • Enable Lockdown Mode on ESXi to disable SSH, DCUI, and HTTPS access.
  • Periodically review and restrict tools with elevated access.
• Secure Boot: Enforce to block unsigned/unauthorized binaries.
• Monitoring: Treat hypervisor and virtualization layers as active threat surfaces. Deploy tailored detection and response for ESXi/vCenter telemetry.

Reference:

• https://industrialcyber.co/ransomware/sygnia-uncovers-fire-ant-espionage-campaign-targeting-virtualization-infrastructure-with-unc3886-ties/

18. Scattered Spider Targets ESXi Servers in Retail and Transportation Sectors

A new wave of highly targeted attacks by the Scattered Spider threat group has been observed, focusing on VMware ESXi servers in the retail, airline, and transportation sectors. Reported by Google Threat Intelligence Group (GTIG), this campaign marks a significant escalation, shifting from account takeovers to hypervisor-level control, bypassing traditional endpoint security.

Executive Summary:

• Threat Group: Scattered Spider (a.k.a. UNC3944)
• Targeted Infrastructure: VMware ESXi hypervisors
• Targeted Sectors: Retail, Airlines, Transportation (North America)
• Initial Access Method: Social engineering via IT help desk calls
• TTPs: Living-off-the-land techniques, credential abuse, backup destruction, root-level hypervisor access
• Campaign Style: Persistent, campaign-driven sabotage operations with ransomware as the final payload

Attack Highlights:

• No Zero-Days or Malware: The group does not rely on vulnerabilities or malware for initial access.
• Human Exploitation: Gains access through convincing phone-based social engineering attacks on internal help desk teams.
• Living-Off-the-Land (LOTL): Operates using legitimate admin tools and commands, avoiding detection.
• Hypervisor Targeting: The group goes straight for ESXi hypervisors, achieving root-level control and destroying backups to prevent recovery.
• Final Blow: Ransomware is deployed at the end of the attack cycle, used more as sabotage than financial extortion.

Expert Insights:

• Rom Carmel (Apono CEO):

“This isn’t smash-and-grab. It’s campaign-style cyber sabotage. Scattered Spider now bypasses endpoint controls and directly compromises infrastructure.”

• Nivedita Murthy (Black Duck):

“Help desks are now a primary attack vector. If not tightly secured, they offer attackers a way to stage initial compromise. Organizations must configure SIEM to monitor these entry points.”

Recommendations:

• Help Desk Security Training: Educate frontline IT staff on identifying social engineering indicators and enforce strict verification protocols before providing access or resetting credentials.
• Limit Privileged Access: Enforce least privilege and role-based access control (RBAC), especially for accounts with ESXi or vCenter permissions.
• SIEM Monitoring: Tune SIEM rules to monitor for anomalous access requests, remote logins, and ESXi/root activity.
• Hypervisor Hardening:
  • Restrict SSH access and remote management
  • Use Multi-Factor Authentication (MFA) for all infrastructure accounts
  • Regularly audit backup integrity and ensure offsite backups

Reference:

• https://www.scworld.com/news/scattered-spider-targets-esxi-servers-in-retail-transportation-sectors

19. UNC2891 Uses Physical ATM Implant and Novel Anti-Forensic Technique

Group-IB uncovered a sophisticated attempted bank heist conducted by UNC2891, a financially motivated threat group active since 2017. The attackers physically implanted a Raspberry Pi with a 4G modem into a bank ATM, establishing internal network access and leveraging a novel anti-forensic technique to hide their tracks.

Key Findings:

• Initial Access: Achieved through physical access by inserting a Raspberry Pi device into an ATM, bypassing traditional network security.
• C2 Communication: Established via TINYSHELL backdoor and a Dynamic DNS domain.
• Lateral Movement: Attackers gained access to the bank’s mail server from the ATM-connected switch.
• Backdoor Persistence: Used a fake process named lightdm located in a suspicious directory.
• Anti-Forensic Evasion:
  • Leveraged a previously undocumented Linux technique using bind mounts to hide /proc/[pid] entries.
  • Now documented as MITRE ATT&CK T1564.013 – Hide Artifacts: Bind Mounts.

Attack Objective:

UNC2891’s ultimate goal was to deploy the CAKETAP rootkit, which manipulates Hardware Security Module (HSM) responses to spoof ATM authorization and enable fraudulent withdrawals. The attack was detected and stopped before any cash was withdrawn.

Recommendations:

• Physical Security:
  • Secure all ATM and switch ports from unauthorized physical access.
  • Regularly inspect hardware for foreign devices.
• Forensic Readiness:
  • Capture both memory and disk images during incident response.
  • Watch for anomalous “mount” or “umount” system calls, especially those targeting /proc/[pid].
• Behavioral Alerts:
  • Monitor execution from suspicious paths like /tmp, .snapd, or mount points with tmpfs.
  • Generate alerts for mounting activities involving the /proc filesystem.

Reference:

• https://www.scworld.com/news/bank-attacked-with-physical-atm-implant-novel-anti-forensic-technique