April Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Threat trends

Our team has noted certain trends in recent attack methods focused on intrusion, operational disruption, or financial harms to organizations. The following trends are increasing or steady in frequency, as these types of attack continue to prove successful for malicious threat actors.

• Phishing emails. These attacks are trending up, particularly phishing lures related to income taxes. A majority of the phishing emails link to credential harvesting webpages, which can lead to adversary-in-the-middle attacks. Many successful attacks result in Office 365 mailbox access where the threat actors create mailbox rules to hide their activity. To reduce the risk of phishing threats, the team stresses the importance of offering user awareness training to all employees.

• Ransomware. Ghost ransomware attacks are heavy now, and Chaos ransomware has been released at a lower price, making it more accessible to want-to-be cybercriminals. The team is seeing manual (versus automated) deployment of ransomware where the threat actor must break into the network and stage, deploy, and execute the ransomware. Fortunately, manual deployment allows time for the team to get in front of the attack.

• Credential stuffing attacks. These attacks, including brute-force attacks, are steady in frequency. With credential stuffing, threat actors collect stolen account credentials and use those credentials to gain unauthorized access to user accounts through automated login requests. To protect against credential stuffing attacks, Okta uses adaptive multifactor authentication, risk-based authentication, and behavioral detection setups, and Microsoft 365 uses Azure Active Directory Identity Protection with conditional access and smart lockout features. 

Notable vulnerabilities

Approximately 2,700 vulnerabilities were disclosed in February, which is a lower number than the previous two months. However, the team expects that number to increase again in the months ahead, with 45,000 to 50,000 total vulnerabilities expected in 2025. As many as 25 of the 2,700 disclosed vulnerabilities were high risk, and eight were actively exploited. 

The team noted that there has been a surge in the number of known ransomware victims over the past year, more than doubling from 425 attacks in February 2024 to 962 attacks in February 2025. Currently, there is a move toward opportunistic attacks rather than targeted attacks, expanding the base of possible ransomware attack victims. Four groups are primarily involved in the attacks:

• CL0P. This ransomware group was responsible for 335 known ransomware victims in February, more than one-third of all attacks. These threat actors typically exploit managed file transfer software applications.

• FunkSec. This group uses an information-stealing tool called Wolfer to look for evidence of account credentials, such as usernames and passwords, on a compromised system. The tool uses the Telegram bot to send commands to and from the compromised device.

• Ghost (Cring). This China-backed group focuses on older vulnerabilities, particularly those impacting Fortinet networking equipment and Microsoft and Adobe applications.

• Akira. This ransomware group uses webcams attached to Linux systems as the initial access point onto corporate networks. 

As many as 67 reported vulnerabilities were addressed during Microsoft Patch Tuesday in February. Among those 67, three were critical, and four were zero days. Two of the zero days are particularly notable:

• Palo Alto PAN-OS vulnerability. This exploit involves three vulnerabilities that are chained together to ultimately gain root access to the firewall. First, an authentication bypass vulnerability is exploited, which allows the threat actor to gain network access to the web management interface. Next, a privilege escalation vulnerability grants the threat actor privileges to execute files with root privileges. Finally, an authenticated file read vulnerability allows the threat actor to read files on the PAN-OS file system, possibly accessing sensitive information that can cause harm to the compromised organization. 

• 7-Zip vulnerability. This Mark-of-the-Web bypass exploit by a group of Russia-based threat actors began in mid-September 2024. The attack occurs when a supposedly trusted sender sends a spear-phishing email that contains a double-compressed archive file. When the victim opens the email and decompresses the file using 7-Zip, it loads Smoke Loader malware on the victim’s system. Then, the malware connects to a malicious server, giving the threat actors access to the system to exfiltrate critical data.

In March, 57 reported vulnerabilities were addressed during Microsoft Patch Tuesday. Of those 57, six were critical vulnerabilities, including a Microsoft Office email with a malicious link and a Windows remote desktop services vulnerability. Seven of the reported vulnerabilities were known zero days, including a security feature bypass vulnerability, a privilege escalation vulnerability, three hash disclosure vulnerabilities, and two remote code execution vulnerabilities. The team recommends a robust patching program to address these issues, particularly for products being used by employees on a day-to-day basis.

SOC observations

Pondurance analysts at the security operations center (SOC) must understand an organization’s attack surface and the context to know if there’s a problem that requires an alert and a solution. SOC analysts play a vital role when examining virtual private network (VPN) use and brute-force login attempts.

Most organizations use a mix of private and public VPNs. Internal, privately hosted VPNs are more desirable, with all traffic under audit, but they are often expensive. Public VPNs, such as NordVPN, ExpressVPN, and Private Internet Access, are less expensive but create transparency problems that can make them ideal vectors for threat actors. Public VPNs mix both good and bad traffic, requiring analysts to dive deep into the context to figure out what is going on. An analyst needs the answers to questions such as: Are other users doing this? Is the IP coming for just this one user? Is this a spray attack where it’s one IP hitting several different accounts? To get those answers, the team must set up a proper frame and clear expectations with clients to focus their efforts on actual threats.

Brute-force login attempts are a commonly seen threat within the SOC. Every investigation starts with the point of login or contact, where someone accesses the attack surface as either a benign or malicious activity. Recently, the team has seen benign activity known as Type 8, or “clear text” in customer configurations and communications, which is a misconfiguration that organizations should avoid. On the malicious activity side, the team sees a number of indicators of compromise and bad domains trying to connect to networks. When Pondurance SOC analysts see this activity, the team investigates the incidents. Are there SSL connections? Are there unusual domain name system requests? What was this IP doing? The team gathers the evidence to know with certainty whether the threat actor’s actions did or did not have an impact beyond the initial attempt to make contact with the network.

Alert tuning

Tuning is crucial to ensure that escalations are relevant for clients. If a client encounters a false positive or prefers not to escalate an alert, it’s important to respond rather than simply close the alert. When a client responds, the Pondurance team can make appropriate adjustments to deliver only alerts that will be actionable. In addition, disclosing critical assets, such as hosts, IP addresses, VIP lists, and honey tokens, helps the team tweak those tunings to elevate alerts to the proper level.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our security operations center, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.