Cyber Threat Weekly – #73
The week of April 7th through April 13th, around 397 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about security tools and shelfware.
It feels like there is a disconnect between buying security tools and deploying them appropriately. It’s people, process, and technology. Even after deployment, it takes effort to operate, manage, and maintain your tool stack to get the most out of each tool.
Let’s start with new evasion tricks for Tycoon2FA. Even after patching Fortinet devices, persistence was maintained. Public exploit code now available for exploited Ivanti bug. WordPress plugin bug actively exploited.
Cybercrime group Atlas Lion’s novel behavior. FortiSwitch bug allows attackers to change admin passwords. Zero-day bug affecting Gladinet file share servers exploited. Exploit code available for exploited CrushFTP bug.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities – April 7th to April 13th:
CVE-2025-31161 – CrushFTP Authentication Bypass Vulnerability:
Allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise. Used in ransomware attacks.
CVE-2025-29824 – Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability:
Allows an authorized attacker to elevate privileges locally. Used in ransomware attacks.
CVE-2025-30406 – Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability:
Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing for remote code execution.
CVE-2024-53150 – Linux Kernel Out-of-Bounds Read Vulnerability:
Allows a local, privileged attacker to obtain potentially sensitive information.
CVE-2024-53197 – Linux Kernel Out-of-Bounds Access Vulnerability:
Allows an attacker with physical access to the system to use a malicious USB device to potentially manipulate system memory, escalate privileges, or execute arbitrary code.
New Updates for Tycoon2FA Phishing-as-a-Service
This phishing kit is continually being upgraded. The latest tricks include invisible Unicode characters, self-hosted CAPTCHA rendered via HTML5, and anti-debugging JavaScript. While not novel, the combination adds stealth making detection more complicated.
Treat Actors Maintain Persistence After Fortinet Devices Patched
Attackers are abusing known and now patched vulnerabilities for initial access. The threat actor then used a known vulnerability to create a symbolic link connecting the user and root file systems to SSL-VPN. Customers without SSL-VPN enabled are not affected.
https://thehackernews.com/2025/04/fortinet-warns-attackers-retain.html
https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity
Researchers Release Exploit Code for Ivanti Bug
Ivanti bug CVE-2025-22457 observed being exploited on Connect Secure devices, now has public exploit code available. The good news, a detection opportunity is available, examine appliances for web server crashes. Attackers must brute force memory, every fail causes a reboot.
https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis
WordPress Plugin SureTriggers Bug Actively Exploited
Threat actors love compromising legit WordPress web servers and abusing them in their campaigns. The lesson, WordPress like other technologies, requires plugin security and updates. Attackers enjoy adding legitimacy to their campaigns.
https://thecyberexpress.com/suretriggers-vulnerability/
Atlas Lion’s Novel Attempt to Evade Detection
Socially engineering users to obtain credentials, attackers then enroll their own MFA devices. Using the stolen credentials, they attempt to enroll attacker controlled virtual machines into the organization’s domain. Let’s hope this kind of activity is rare. This isn’t even a nation state group.
https://therecord.media/atlas-lion-gift-card-cybercrime-hiding-virtual-machines
https://expel.com/blog/observing-atlas-lion-part-one/
Low Complexity FortiSwitch GUI Bug Allows Admin Password Changes
This one is for tracking purposes. Fortinet is a huge target. The bummer here is the lateral movement implications should threat actors gain a foothold. Management interfaces should not be exposed to the Internet.
https://www.fortiguard.com/psirt/FG-IR-24-435
Zero-Day CentreStack Bug Actively Exploited
Exploitation started March 2025 on the enterprise file sharing software as a zero-day. The bug CVE-2025-30406 was fixed on April 3rd, 2025. There is a mitigation, rotating the machineKey values.
Ransomware Gangs Abusing CrushFTP Bug
Added to the CISA known exploited vulnerability catalog, CVE-2025-31161 is being actively exploited by ransomware gangs. After responsible disclosure another researcher discovered the bug and released critical information now used by attackers.
https://therecord.media/crushftp-vulnerability-exploited
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
