Recent bundles

VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

2025-03-04T15:17:20 by Alexandre Dulaunoy

JSON

Ref: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Impacted Products

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform

Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. VMCI heap-overflow vulnerability (CVE-2025-22224)

Description: VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution: To remediate CVE-2025-22224 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22224 has occurred in the wild. 3b. VMware ESXi arbitrary write vulnerability (CVE-2025-22225)

Description: VMware ESXi contains an arbitrary write vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.

Known Attack Vectors: A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

Resolution: To remediate CVE-2025-22225 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22225 has occurred in the wild. 3c. HGFS information-disclosure vulnerability (CVE-2025-22226)

Description: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors: A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Resolution: To remediate CVE-2025-22226 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22226 has occurred in the wild.

Related vulnerabilities: CVE-2025-22225 CVE-2025-22224 CVE-2025-22226

StopRansomware: Ghost (Cring) Ransomware | CISA

2025-03-03T08:51:11 by Alexandre Dulaunoy

JSON

StopRansomware: Ghost (Cring) Ransomware | CISA

Cybersecurity Advisory

Release Date

February 19, 2025

Alert Code

AA25-050A

Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Ghost (Cring) Ransomware Activity

Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
Common Vulnerabilities and Exposures (CVE): CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access

The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).

Execution

Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.

Persistence

Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.

Privilege Escalation

Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].

Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials.

See Table 1 for a descriptive listing of tools.

Credential Access

Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.

Defense Evasion

Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

Discovery

Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.

Lateral Movement

Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].

This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.

In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.

Exfiltration

Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.

Command and Control

Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.

For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.

Note: Table 2 contains a list of Ghost ransom email addresses.

Impact and Encryption

Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.

These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].

The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.

Indicators of Compromise (IOC)

Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.

Note: Authors of these tools generally state that they should not be used in illegal activity.

Table 1: Tools Leveraged by Ghost Actors

Name

Description

Source

Cobalt Strike

Cobalt Strike is penetration testing software. Ghost actors use an unauthorized version of Cobalt Strike.

N/A

IOX

Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device.

github[.]com/EddieIvan01/iox

SharpShares.exe

SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery.

github[.]com/mitchmoser/SharpShares

SharpZeroLogon.exe

SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller.

github[.]com/leitosama/SharpZeroLogon

SharpGPPPass.exe

SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords.

N/A

SpnDump.exe

SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration.

N/A

NBT.exe

A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration.

github[.]com/BronzeTicket/SharpNBTScan

BadPotato.exe

BadPotato.exe is an exploitation tool used for privilege escalation.

github[.]com/BeichenDream/BadPotato

God.exe

God.exe is a compiled version of GodPotato and is used for privilege escalation.

github[.]com/BeichenDream/GodPotato

HFS (HTTP File Server)

A portable web server program that Ghost actors use to host files for remote access and exfiltration.

rejitto[.]com/hfs

Ladon 911

A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144.

github[.]com/k8gege/Ladon

Web Shell

A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access.

Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx

Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity

File name

MD5 File Hash

Cring.exe

c5d712f82d5d37bb284acd4468ab3533

Ghost.exe

34b3009590ec2d361f07cac320671410

d9c019182d88290e5489cdf3b607f982

ElysiumO.exe

29e44e8994197bdb0c2be6fc5dfc15c2

c9e35b5c1dc8856da25965b385a26ec4

d1c5e7b8e937625891707f8b4b594314

Locker.exe

ef6a213f59f3fbee2894bd6734bbaed2

iex.txt, pro.txt (IOX)

ac58a214ce7deb3a578c10b97f93d9c3

x86.log (IOX)

c3b8f6d102393b4542e9f951c9435255

0a5c4ad3ec240fbfd00bdc1d36bd54eb

sp.txt (IOX)

ff52fdf84448277b1bc121f592f753c5

main.txt (IOX)

a2fd181f57548c215ac6891d000ec6b9

isx.txt (IOX)

625bd7275e1892eac50a22f8b4a6355d

sock.txt (IOX)

db38ef2e3d4d8cb785df48f458b35090

Ransom Email Addresses

Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.

Table 3: Ransom Email Addresses

Email Addresses

[email protected]

Ransom Notes

Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.

MITRE ATT&CK Tactics and Techniques

See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Initial Access

Technique Title

Use

Exploit Public-Facing Application

T1190

Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers.

Table 5: Execution

Technique Title

Use

Windows Management Instrumentation

T1047

Ghost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware.

PowerShell

T1059.001

Ghost actors use PowerShell for various functions including to deploy Cobalt Strike.

Windows Command Shell

T1059.003

Ghost actors use the Windows Command Shell to download malicious content on to victim servers.

Table 6: Persistence

Technique Title

Use

Account Manipulation

T1098

Ghost actors change passwords for already established accounts.

Local Account

T1136.001

Ghost actors create new accounts or makes modifications to local accounts.

Domain Account

T1136.002

Ghost actors create new accounts or makes modifications to domain accounts.

Web Shell

T1505.003

Ghost actors upload web shells to victim servers to gain access and for persistence.

Table 7: Privilege Escalation

Technique Title

Use

Exploitation for Privilege Escalation

T1068

Ghost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities.

Token Impersonation/Theft

T1134.001

Ghost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege.

Table 8: Defense Evasion

Technique Title

Use

Application Layer Protocol: Web Protocols

T1071.001

Ghost actors use HTTP and HTTPS protocols while conducting C2 operations.

Impair Defenses: Disable or Modify Tools

T1562.001

Ghost actors disable antivirus products.

Hidden Window

T1564.003

Ghost actors use PowerShell to conceal malicious content within legitimate appearing command windows.

Table 9: Credential Access

Technique Title

Use

OS Credential Dumping

T1003

Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect passwords and password hashes.

Table 10: Discovery

Technique Title

Use

Remote System Discovery

T1018

Ghost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery.

Process Discovery

T1057

Ghost actors run a ps command to list running processes on an infected device.

Domain Account Discovery

T1087.002

Ghost actors run commands such as net group “Domain Admins” /domain to discover a list of domain administrator accounts.

Network Share Discovery

T1135

Ghost actors use various tools for network share discovery for the purpose of host enumeration.

Software Discovery

T1518

Ghost actors use their access to determine which antivirus software is running.

Security Software Discovery

T1518.001

Ghost actors run Cobalt Strike to enumerate running antivirus software.

Table 11: Exfiltration

Technique Title

Use

Exfiltration Over C2 Channel

T1041

Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data.

Exfiltration to Cloud Storage

T1567.002

Ghost actors sometimes use legitimate cloud storage providers such as Mega.nz for malicious exfiltration operations.

Table 12: Command and Control

Technique Title

Use

Web Protocols

T1071.001

Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS.

Ingress Tool Transfer

T1105

Ghost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers.

Standard Encoding

T1132.001

Ghost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement.

Encrypted Channel

T1573

Ghost actors use encrypted email platforms to facilitate communications.

Table 13: Impact

Technique Title

Use

Data Encrypted for Impact

T1486

Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt victim files for ransom.

Inhibit System Recovery

T1490

Ghost actors delete volume shadow copies.

Mitigations

The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.

Maintain regular system backups that are known-good and stored offline or are segmented from source systems [CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom.
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 1.E].
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
Train users to recognize phishing attempts.
Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes, although it is often a helpful tool that is used by administrators and defenders to manage system resources. For more information, visit NSA and CISA’s joint guidance on PowerShell best practices.
- Implement the principle of least privilege when granting permissions so that employees who require access to PowerShell are aligned with organizational business requirements.
Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access [CPG 3.A].
Identify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed [CPG 3.A].
- Ghost actors run a significant number of commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who have identified and responded to this unusual behavior have successfully prevented Ghost ransomware attacks.
Limit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445, and restricting access to essential services through securely configured VPNs or firewalls.
Enhance email security by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing [CPG 2.M].

Validate Security Controls

In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 3 to Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

Reporting

Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.

Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.

The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center ([email protected]) or by calling 1-844-Say-CISA (1-844-729-2472).

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.

Version History

February 19, 2025: Initial version.

This product is provided subject to this Notification and this Privacy & Use policy.

CVE	CVSS	Level	CVSS String	library
CVE-2017-12652	9.8	Critical	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	libpng	Arbitrary Code Execution
CVE-2022-2068	9.8	Critical	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	OpenSSL	Arbitrary Code Execution
CVE-2023-45853	9.8	Critical	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	zlib	Information Disclosure
CVE-2020-14152	7.1	High	CVSS:3.1/AF4AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H	libjpeg	Denial of Service

Resolution

Update your version of the HP Universal Print Driver Series.

HP has provided updates to the HP Universal Print Driver Series. To obtain the updated version, go to www.hp.com/go/UPD.

https://support.hp.com/us-en/document/ish_11892982-11893015-16/hpsbpi03995

Related vulnerabilities: CVE-2022-2068 CVE-2023-45853 CVE-2017-12652 CVE-2020-14152

A Mirai botnet is attempting exploitation in the wild using a new (at least to us) set of CVEs

2025-02-12T13:38:55 by Cédric Bonhomme

JSON

A Mirai botnet is attempting exploitation in the wild using a new set of CVEs, focusing mostly on IoT devices. Includes:

Tenda CVE-2024-41473
Draytek CVE-2024-12987
HuangDou UTCMS V9 CVE-2024-9916
Totolink CVE-2024-2353 CVE-2024-24328 CVE-2024-24329
(likely) Four-Faith CVE-2024-9644

Source: The Shadowserver Foundation

disabling cert checks: "we have not learned much" from @bagder@mastodon.social

2025-02-12T06:35:44 by Cédric Bonhomme

JSON

The article "Disabling cert checks: we have not learned much" by Daniel Stenberg, published on February 11, 2025, discusses the persistent issue of developers disabling SSL/TLS certificate verification in applications, despite the security risks involved. Stenberg reflects on the history of SSL/TLS usage, emphasizing that since 2002, curl has verified server certificates by default to prevent man-in-the-middle attacks. He highlights common challenges that lead developers to disable certificate verification, such as development environment mismatches, outdated CA stores, or expired certificates. Despite efforts to educate and design APIs that encourage secure practices, the problem persists, indicating a need for continued emphasis on the importance of proper certificate verification in software development.

A quick CVE search immediately reveals security vulnerabilities for exactly this problem published only last year:

CVE-2024-32928 – The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices.
CVE-2024-56521 – An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.
CVE-2024-5261 – In affected versions of Collabora Online, in LibreOfficeKit, curl’s TLS certificate verification was disabled (CURLOPT_SSL_VERIFYPEER of false).

Related vulnerabilities: CVE-2024-32928 CVE-2024-56521 CVE-2024-5261

Fortinet - Authentication bypass in Node.js websocket module and CSF requests

2025-02-12T05:38:54 by Alexandre Dulaunoy

JSON

PSIRT | FortiGuard Labs

Summary

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.

Please note that reports show this is being exploited in the wild.

Version

Affected

Solution

FortiOS 7.6

Not affected

Not Applicable

FortiOS 7.4

Not affected

Not Applicable

FortiOS 7.2

Not affected

Not Applicable

FortiOS 7.0

7.0.0 through 7.0.16

Upgrade to 7.0.17 or above

FortiOS 6.4

Not affected

Not Applicable

FortiProxy 7.6

Not affected

Not Applicable

FortiProxy 7.4

Not affected

Not Applicable

FortiProxy 7.2

7.2.0 through 7.2.12

Upgrade to 7.2.13 or above

FortiProxy 7.0

7.0.0 through 7.0.19

Upgrade to 7.0.20 or above

FortiProxy 2.0

Not affected

Not Applicable

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

IoCs

The following log entries are possible IOC's:

Following login activity log with random scrip and dstip:
type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"
Following admin creation log with seemingly randomly generated user name and source IP:
type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"
The following IP addresses were mostly found used by attackers in above logs:
1.1.1.1
127.0.0.1
2.2.2.2
8.8.8.8
8.8.4.4

Please note that the above IP parameters are not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.

Please note as well that sn and cfgtid are not relevant to the attack.

The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:
- Creating an admin account on the device with random user name
- Creating a Local user account on the device with random user name
- Creating a user group or adding the above local user to an existing sslvpn user group
- Adding/changing other settings (firewall policy, firewall address, ...)
- Logging in the sslvpn with the above added local users to get a tunnel to the internal network.

Admin or Local user created by the TA is randomly generated. e.g:
Gujhmk
Ed8x4k
G0xgey
Pvnw81
Alg7c4
Ypda8a
Kmi8p4
1a2n6t
8ah1t6
M4ix9f
...etc...

Additionally, the TA has been seen using the following IP addresses:

45.55.158.47 [most used IP address]
87.249.138.47
155.133.4.175
37.19.196.65
149.22.94.37

Workaround

Disable HTTP/HTTPS administrative interface

Limit IP addresses that can reach the administrative interface via local-in policies:

config firewall address
edit "my_allowed_addresses"
set subnet
end

Then create an Address Group:

config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next

edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom
edit GUI_HTTPS
set tcp-portrange 443
next

edit GUI_HTTP
set tcp-portrange 80
end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

Please note that the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround.

Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.

Please contact customer support for assistance.

CSF requests issue:

Disable Security Fabric from the CLI:

Config system csf
Set status disable
end

Acknowledgement

Fortinet is pleased to thank Sonny of watchTowr (https://watchtowr.com/)) for reporting the CSF related vulnerability under responsible disclosure.

Timeline

2025-01-14: Format
2025-01-15: Added non-standard admin account username best practice
2025-01-15: Clarified that IP addresses "under attacker control" means they are arbitrarily generated by the attacker
2025-01-21: Added IPS package info
2025-01-24: Removed IPS package info
2025-02-11: Added CVE-2025-24472 and its acknowledgement

CVE-2024-55591 and CVE-2025-24472

Related vulnerabilities: CVE-2024-55591 CVE-2025-24472

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf

2025-02-11T19:13:09 by Alexandre Dulaunoy

JSON

Key Takeaways

Arctic Wolf observed a recent campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed on the public internet.
The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.
While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable.
Organizations should urgently disable firewall management access on public interfaces as soon as possible.

Summary

In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync.

While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected.

We are sharing details of this campaign to help organizations defend against this threat. Please note that our investigation of this campaign is ongoing, and we may add further detail to this article as we uncover additional information.

Update: On January 14, 2025, Fortinet published an advisory confirming the existence of an authentication bypass vulnerability affecting FortiOS and FortiProxy products, which was designated as CVE-2024-55591. The advisory also confirmed key details observed in the campaign described here. See our security bulletin for updated remediation guidance.

Background

FortiGate next-generation firewall (NGFW) products have a feature that allow administrators to access the command-line interface through the web-based management interface. This comes as a standard feature on most NGFW devices and is a convenient feature for administrators.

The CLI Console feature in the FortiGate web interface (source)

According to the FortiGate Knowledge Base, when changes are made via the web-based CLI console, the user interface is logged as jsconsole along with the source IP address of whomever made the changes. In contrast, changes made via ssh would be listed as ssh for the user interface instead.

Behind the scenes, there are proprietary command-line tools that FortiGate software uses to perform administrative functions. One binary in particular, newcli, is described as managing the creation and termination of CLI connections.

In a 2023 report by Synacktiv about CVE-2022-26118, a privilege escalation vulnerability, a proof-of-concept bash session is provided that demonstrates how threat actors could invoke the newcli utility to add backdoor users. Notably, the –userfrom switch specifies a value of jsconsole(127.0.0.1), suggesting that a loopback interface can be arbitrarily specified as the source IP address for initiation of a CLI console.

bash$ cat add_backdoor_user.txt
config system admin user
    edit backdoor
        set password backdoor
        set profileid Super_User
        set adom "all_adoms"
    end
exit
bash$ cat add_backdoor_user.txt | /bin/newcli system system \
    --userfrom="jsconsole(127.0.0.1)" \
    --adminprof=Super_User --adom=root --from_sid=0

Although we do not have direct confirmation that such commands are utilized in the present campaign, the observed activities follow a similar pattern in the way they invoke jsconsole.

What We Know About the Campaign

At a high level, the present campaign can be thought of in 4 distinct phases:

Vulnerability scanning (November 16, 2024 to November 23, 2024)
Reconnaissance (November 22, 2024 to November 27, 2024)
SSL VPN configuration (December 4, 2024 to December 7, 2024)
Lateral Movement (December 16, 2024 to December 27, 2024)

These phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organizations, and the activities that were taken by threat actors upon gaining access. Note, however, that our portrayal of these phases may be incomplete or oversimplified given that our visibility is likely limited to a narrow subset of the overall activity in the campaign.

What stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of the jsconsole interface from a handful of unusual IP addresses. Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board.

The firmware versions of devices that were affected ranged between 7.0.14 and 7.0.16, which were released on February 2024 and October 2024 respectively.

Phase 1: Vulnerability scanning

One of the most notable indicators of compromise in this campaign is the use of jsconsole sessions with connections to and from unusual IP addresses, such as loopback addresses and popular DNS resolvers including Google Public DNS and Cloudflare. These combinations of source and destination IP addresses are not typical for jsconsole activity, making them an ideal target for threat hunting. These values appear to be spoofed, since jsconsole traffic to and from these IP addresses would not be possible without the threat actor having control over them.

Source IP Address	Destination IP address
127.0.0.1	127.0.0.1
8.8.8.8	8.8.4.4
1.1.1.1	2.2.2.2

Anomalous source and destination IP addresses for jsconsole administrative logins

Numerous successful admin login events from jsconsole were observed originating from the anomalous IP addresses, all using the admin account. Interestingly, jsconsole login events using loopback IP addresses seemed to occur more frequently than events with the other two pairs of addresses using DNS resolvers, especially during the first phase of the campaign. In contrast, beyond the first phase of the campaign, events with the DNS resolver IP addresses were more commonly associated with configuration changes than those with the loopback addresses.

date=2024-12-07 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="REDACTED" user="admin" ui="jsconsole" method="jsconsole" srcip=127.0.0.1 dstip=127.0.0.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

Additionally, there was corresponding traffic to and from loopback interfaces on TCP port 8023, which according to the Fortinet Knowledge Base is the web CLI port. Loopback traffic was also observed on TCP port 9980, which is used internally by the web-based management interface for security fabric and REST API queries on FortiGate devices. The timestamps of traffic on ports 8023 and 9980 matched jsconsole activity down to the second.

date=2024-12-07 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=127.0.0.2 srcport=REDACTED srcintf="root" srcintfrole="undefined" dstip=127.0.0.1 dstport=8023 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=REDACTED proto=6 action="close" policyid=0 service="tcp/8023" trandisp="noop" app="tcp/8023" duration=1 sentbyte=879 rcvdbyte=778 sentpkt=14 rcvdpkt=14 appcat="unscanned"

The first occurrences of this type of jsconsole activity were observed in the wild as early as November 16, 2024 across victim organizations in a variety of sectors. It is important to note, however, that although malicious logins were observed this early, the first signs of impactful configuration changes from these console sessions only began to ramp up en masse between December 4, 2024 and December 7, 2024.

Web management HTTPS activity

Correlated closely in time with the jsconsole activity, we observed HTTPS web management traffic from a group of VPS hosting providers’ IP addresses. Some of these IP addresses would later proceed to establish SSL VPN tunnels to the same compromised firewalls. These HTTPS events took place tens of seconds before the jsconsole activity. There are several noteworthy aspects to this traffic:

Action was client-rst, which means that the client side of the TCP session has sent an RST packet to terminate the connection.
The amount of data sent to the destination firewall was over a megabyte in size.
The duration of the session was over 100 seconds.
The app was “Web Management(HTTPS)”. In the example below, the HTTPS management port was 8443 but this is set to 443 by default. However, it can be set arbitrarily to another value and is often different depending on the environment.
The traffic originated from a WAN interface.

date=2024-12-15 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=157.245.3.251 srcport=56010 srcintf="wan1" srcintfrole="wan" dstip=REDACTED dstport=8443 dstintf="root" dstintfrole="undefined" srccountry="United States" dstcountry="United States" sessionid=REDACTED proto=6 action="client-rst" policyid=0 policytype="local-in-policy" service="HTTPSMGMT" trandisp="noop" app="Web Management(HTTPS)" duration=570 sentbyte=1315775 rcvdbyte=2084318 sentpkt=18225 rcvdpkt=18092 appcat="unscanned"

While the technical details of the suspected vulnerability are not yet known, the characteristics outlined here for malicious web management traffic provide a glimpse into the nature of a potential exploit.

Indications of opportunistic exploitation

Typically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning between November 16, 2024 and the end of December 2024. Most of these sessions were short-lived, with corresponding logout events within a second or less. In some instances, multiple login or logout events occurred within the same second, with up to 4 events occurring per second.

The victimology in this campaign was not limited to any specific sectors or organization sizes. The diversity of victim organization profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted.

Phase 2: Reconnaissance

In the first phase of the campaign, although there were extensive login and logout events that appeared to be automated, configuration changes were nonexistent. Then, beginning on November 22, 2024, the first unauthorized configuration changes were made:

date=2024-11-22 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="jsconsole(1.1.1.1)" action="Edit" cfgtid=REDACTED cfgpath="system.console" cfgattr="output[more->standard]" msg="Edit system.console "

date=2024-11-22 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="jsconsole(1.1.1.1)" action="Edit" cfgtid=REDACTED cfgpath="system.console" cfgattr="output[standard->more]" msg="Edit system.console "

Similar configuration changes were made across a handful of victim organizations until November 27, 2024. The output setting referenced in these logs is used to toggle whether user interaction is needed to advance to the next page of console output. The “more” setting means that interaction is required to advance long output and “standard” prints out all output at once. In all intrusions, this setting was first set to “standard” and then set to “more”, usually within 10-30 seconds of each other.

The purpose of these changes is not known, but it may hint at threat actors’ preferred mode of interacting with the web console. It is also possible that this was a simple means of verifying that access was successfully obtained to commit changes on exploited firewalls.

Phase 3: SSL VPN configuration

In the third phase of the campaign, beginning on December 4, 2024, threat actors began to make more substantial changes on compromised devices, with the goal of gaining SSL VPN access. There were several distinct approaches for how to achieve this.

In some intrusions, new super admin accounts were created, adhering to an alphanumeric naming convention consisting of 5 characters. In other intrusions, the naming convention was slightly different, with 6 randomized alphanumeric characters.

date=2024-12 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=1733554955692189638 tz="-0500" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=REDACTED cfgpath="system.admin" cfgobj="Dbr3W" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin Dbr3W"

The newly created super admin accounts were then used to create several local user accounts (up to 6 per device) with similar naming conventions, which were ultimately added to existing groups that had been previously created by victim organizations for SSL VPN access.

In other intrusions, existing accounts were hijacked by threat actors to gain SSL VPN access. As with the previous scenario, these accounts were also added to existing groups with VPN access. This included use of the guest account, which is created by default on FortiGate devices. The password on the guest account was reset to facilitate this process.

Threat actors were also observed creating new SSL VPN portals which they added user accounts to directly. In addition, some threat actors assigned specific ports to their VPN portal configurations, changing them between different sessions. These ports included 4433, 59449, and 59450, among others.

Upon making the necessary changes, threat actors established SSL VPN tunnels with the affected devices. All of the client IP addresses of the tunnels originated from a handful of VPS hosting providers.

In most instances where firewall configuration changes were made, the ui field showed jsconsole with loopback or public DNS resolver IP addresses in parentheses (e.g., jsconsole(8.8.8.8)). However, there were several intrusions where the same field referenced other remote IP addresses, suggesting that the threat actor did not attempt to spoof their actual IP addresses in those instances. These were some of the same client IP addresses of the malicious tunnels that were later established. There were also instances where the https ui was used instead of jsconsole, and newly created accounts were used instead of the admin account for those sessions.

Phase 4: Lateral Movement

In the final phase observed in this campaign, upon successfully establishing SSL VPN access in victim organization environments, threat actors sought to extract credentials for lateral movement.

DC sync was used with previously obtained domain admin credentials. The threat actors used a workstation hostname of kali. At this point, the threat actors were removed from affected environments before they could proceed any further.

How Arctic Wolf Protects Its Customers

Arctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers.

Arctic Wolf Labs has leveraged threat intelligence around this campaign to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.

Remediation

In December 2024, Arctic Wolf sent out a security bulletin warning of the activity observed in this campaign. See our follow-up security bulletin published on January 14, 2025 for additional remediation guidance, including version details.

In addition to locking down management interfaces, as a security best practice, regularly upgrading the firmware on firewall devices to the latest available version is advised to protect against known security issues.

Conclusion

In this campaign, we observed opportunistic exploitation of a handful of victim organizations. While the final objectives of the threat actor are not known, the technical details we’ve provided should help defenders protect against the early stages of this campaign.

As documented in this campaign and in several others, management interfaces should not be exposed on the public internet, regardless of the product specifics. Instead, access to management interfaces should be limited to trusted internal users. When such interfaces are left open on the public internet, it expands the attack surface available to threat actors, opening up the potential to identify vulnerabilities that expose features that are meant to be limited to trusted administrators.

From a security best practices standpoint, these types of misconfigurations should be addressed promptly to protect against not only this vulnerability, but an entire class of other potential vulnerabilities in the future.

Note: On December 12, 2024, Arctic Wolf Labs notified Fortinet about the activity observed in this campaign. Confirmation was received by FortiGuard Labs PSIRT on December 17, 2024 that the activity was known and under investigation.

Acknowledgements

Arctic Wolf Labs would like to acknowledge members of the Security Services team for their role in identifying this campaign. We thank Mo Sharif who identified the campaign and associated TTPs, as well as Ruben Raymundo and Trevor Daher who helped investigate the intrusions.

Appendix

Tactics, Techniques, and Procedures (TTPs)

Tactic: Initial Access
Technique: T1190: Exploit Public-Facing Application
Sub-techniques or Tools: • Exploited public-facing FortiGate firewall management interfaces
Tactic: Persistence
Technique: T1136.001: Create Account: Local Account
Sub-techniques or Tools: • Created multiple local admin accounts
Tactic: T1133: External Remote Services
Technique: • Modified SSL VPN configurations
Sub-techniques or Tools:
Tactic: T1078.001: Valid Accounts: Default Accounts
Technique: • Hijacked default guest account to obtain SSL VPN access
Sub-techniques or Tools:
Tactic: Credential Access
Technique: T1003.006: OS Credential Dumping: DCSync
Sub-techniques or Tools: • The threat actors used a domain admin account to conduct a DCSync attack

Vulnerabilities Exploited

Vulnerability: No CVE registered
Use: The activity observed in this article has not been assigned a CVE as of publication.

Indicators of Compromise (IoCs)

Indicator: 23.27.140[.]65
Type: IPv4 Address
Description: • AS149440 – Evoxt Enterprise• SSL VPN client IP address• Web management interface client
Indicator: 66.135.27[.]178
Type: IPv4 Address
Description: • AS20473 – The Constant Company Llc• SSL VPN client IP address• Web management interface client
Indicator: 157.245.3[.]251
Type: IPv4 Address
Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client
Indicator: 45.55.158[.]47
Type: IPv4 Address
Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client
Indicator: 167.71.245[.]10
Type: IPv4 Address
Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client
Indicator: 137.184.65[.]71
Type: IPv4 Address
Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address
Indicator: 155.133.4[.]175
Type: IPv4 Address
Description: • AS62240 – Clouvider Limited• SSL VPN client IP address• Web management interface client
Indicator: 31.192.107[.]165
Type: IPv4 Address
Description: • AS50867 – Hostkey B.V.• SSL VPN client IP address
Indicator: 37.19.196[.]65
Type: IPv4 Address
Description: • AS212238 – Datacamp Limited• Web management interface client
Indicator: 64.190.113[.]25
Type: IPv4 Address
Description: • AS399629 – BL Networks• Web management interface client

Detection Opportunities

As part of our Managed Detection and Response service, Arctic Wolf has detections in place for techniques described in this blog article, in addition to other techniques employed by threat actors described here.

Firewall

This campaign was identified early because external monitoring was in place for unexpected firewall configuration changes.

As described in this article, jsconsole activity was observed from a handful of anomalous IP addresses that appeared to be spoofed. Monitoring for jsconsole activity from commonly spoofed IP addresses might be helpful in responding early to such attacks. The weakness of this approach is that threat actors may choose to spoof jsconsole activity using different IP addresses in the future.

Additionally, although details of the vulnerability in this article are not yet available, monitoring for web management traffic on the WAN interface over 1MB originating from VPS hosting IP addresses may be a worthwhile means of detecting exploitation. This detection criteria could be further narrowed down by setting a minimum session duration of 100 seconds. Please note, however, that a better long-term approach to this detection would be to remove web management from the public internet entirely.

Finally, given that malicious SSL VPN logins were known to take place with client IP addresses originating from VPS hosting providers, monitoring for unexpected logins from such providers would also potentially be worth exploring.

Additional Resources

Get actionable insights and access to the security operations expertise of one of the largest security operations centers (SOCs) in the world in Arctic Wolf’s 2024 Security Operations Report.

Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.

Authors

Stefan Hostetler

Stefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.

Julian Tuin

Julian is a Senior Threat Intelligence Researcher at Arctic Wolf Labs with more than 6 years of industry experience. He has experience in identifying and tracking campaigns for new and emerging threats.

Trevor Daher

Trevor Daher is a Technical Lead within Arctic Wolf’s Security Services group supporting the Managed Detection and Response (MDR) service.

Jon Grimm

Jon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing actionable intelligence that enhances organizational defenses. He has background of 10 years’ experience in several domains of cybersecurity, holds a bachelor’s degree in law enforcement, and holds several industry certifications (CISSP, GCFA, GCTI).

Alyssa Newbury

Alyssa Newbury is a Threat Intelligence Analyst at Arctic Wolf, with over a decade of experience in tactical threat intelligence and cybersecurity. She has background working for various agencies within the intelligence community, including the FBI and NGA, and focuses primarily on researching and identifying emerging cyber threats and producing impactful finished intelligence products.

Joe Wedderspoon

Joe Wedderspoon is a Sr. Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 7 years of operational experience in incident response, defensive cyber operations, and researching adversary tradecraft in both the public and private sectors.

Markus Neis

Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.

Related vulnerabilities: CVE-2024-55591 CVE-2022-26118 CVE-2024-55591

February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)

2025-02-11T19:05:13 by Alexandre Dulaunoy

JSON

February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)

Primary Product

Connect-Secure

Created Date

Feb 11, 2025 3:01:15 PM

Last Modified Date

Feb 11, 2025 3:37:50 PM

Summary

Ivanti has released updates for Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) which addresses medium, high and critical severity vulnerabilities.

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

Vulnerability Details

CVE Number

Description

CVSS Score (Severity)

CVSS Vector

CWE

Impacted Products

CVE-2024-38657

External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.

9.1 (Critical)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-73

Connect Secure & Policy Secure

CVE-2025-22467

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.

9.9 (Critical)

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-121

Connect Secure

CVE-2024-10644

Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

9.1 (Critical)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-94

Connect Secure & Policy Secure

CVE-2024-12058

External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.

6.8 (Medium)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-73

Connect Secure & Policy Secure

CVE-2024-13830

Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

6.1 (Medium)

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79

Connect Secure & Policy Secure

CVE-2024-13842

A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local unauthenticated attacker to read sensitive data.

6.0 (Medium)

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-321

Connect Secure & Policy Secure

CVE-2024-13843

Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local unauthenticated attacker to read sensitive data.

6.0 (Medium)

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-312

Connect Secure & Policy Secure

CVE-2024-13813

Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files.

7.1 (High)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-732

Secure Access Client

Affected Versions

Product Name

Affected Versions

Resolved Versions

Patch Availability

Ivanti Connect Secure (ICS)

22.7R2.5 and below

22.7R2.6

Download Portal

https://portal.ivanti.com/

Ivanti Policy Secure (IPS)

22.7R1.2 and below

22.7R1.3

Download Portal

https://portal.ivanti.com/

Ivanti Secure Access Client (ISAC)

22.7R4 and below

22.8R1

Download Portal

https://portal.ivanti.com/

Solution

These vulnerabilities are resolved on the latest version of the product and can be accessed in the download portal (Login Required):

Ivanti Connect Secure 22.7R2.6
Ivanti Policy Secure 22.7R1.3
Ivanti Secure Access Client 22.8R1

Acknowledgements

Ivanti would like to thank the following for reporting the relevant issues and for working with Ivanti to help protect our customers:

Matthew Galligan, CISA Rapid Action Force (CVE-2024-38657)
Ori David of Akamai (CVE-2024-37374, CVE-2024-37375)
sim0nsecurity of HackerOne (CVE-2024-13813)

Note: Ivanti is dedicated to ensuring the security and integrity of our enterprise software products. We recognize the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. Visit HERE to learn more about our Vulnerability Disclosure Policy.

FAQ

Are you aware of any active exploitation of these vulnerabilities?

We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program.

How can I tell if I have been compromised?
Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise.
What should I do if I need help?

If you have questions after reviewing this information, you can log a case and/or request a call via the Success Portal

Are any of these vulnerability fixes backported to any of the 9.x versions?

No. The Pulse Connect Secure 9.x version of the product reached End of Engineering June 2024 and has reached End-of-Support as of December 31, 2024. Because of this, the 9.x version of Connect Secure no longer receives backported fixes. We strongly encourage customers to upgrade to Ivanti Connect Secure 22.7 to benefit from important security updates that we have made throughout the solution.

What does it mean when a vulnerability describes remote authenticated attackers?

It means that an attacker who is able to interact with the vulnerable component and pass authentication is able to exploit the vulnerability.

Article Number :

000097586

displaying 41 - 50 bundles in total 96

Recent bundles

Impacted Products

Introduction

StopRansomware: Ghost (Cring) Ransomware | CISA

Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Ghost (Cring) Ransomware Activity

Summary

Technical Details

Initial Access

Execution

Persistence

Privilege Escalation

Credential Access

Defense Evasion

Discovery

Lateral Movement

Exfiltration

Command and Control

Impact and Encryption

Indicators of Compromise (IOC)

Ransom Email Addresses

Ransom Notes

MITRE ATT&CK Tactics and Techniques

Mitigations

Validate Security Controls

Reporting

Disclaimer

Version History

Tags

Resolution

PSIRT | FortiGuard Labs

Summary

IoCs

Workaround

Acknowledgement

Timeline

Key Takeaways

Summary

Background

What We Know About the Campaign

Phase 1: Vulnerability scanning

Web management HTTPS activity

Indications of opportunistic exploitation

Phase 2: Reconnaissance

Phase 3: SSL VPN configuration

Phase 4: Lateral Movement

How Arctic Wolf Protects Its Customers

Remediation

Conclusion

Acknowledgements

Appendix

Tactics, Techniques, and Procedures (TTPs)

Vulnerabilities Exploited

Indicators of Compromise (IoCs)

Detection Opportunities

Firewall

Additional Resources

About Arctic Wolf Labs

Authors

Stefan Hostetler

Julian Tuin

Trevor Daher

Jon Grimm

Alyssa Newbury

Joe Wedderspoon

Markus Neis