Summer 2025 Cyber Threats Download™

The Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Threat trends

Our team has noted certain trends in recent attack methods focused on intrusion, operational disruption, or financial harms to organizations. The following trends are increasing in frequency, as these types of attack continue to prove successful for malicious threat actors:

• Ransomware. These attacks are trending up, with a majority of the attacks involving remote monitoring management (RMM) software. Threat actors commonly use manual deployment of ransomware where the threat actor breaks into the network and stages, deploys, and executes the ransomware. Fortunately, manual deployment allows time for the team to get ahead of the attack. In particular, Ghost (or Cring) ransomware attacks are popular now, and Chaos ransomware was released at a reduced price, making it more accessible to threat actors. 

• Business email compromise. These attacks are on the rise, particularly standard lures leveraging election and government news. A majority of the phishing emails link to credential harvesting webpages and lead to adversary-in-the-middle attacks involving the installation of malware. Many successful attacks result in Office 365 mailbox access where the threat actors create mailbox rules to hide their activity. To reduce risk, the team stresses the importance of user awareness training for all employees.

Incident response learnings

In a recent exploit trend, threat actors are targeting the CrushFTP vulnerability, versions 10 (before 10.8.4) and 11 (before 11.3.1). The Pondurance team first observed the exploit on March 26, just days before the published release of the vulnerability. The vulnerability allows the threat actor to bypass the need for a password and authenticate directly with the service. Next, the threat actor changes the password, locking out the legitimate user and specifically targeting the CrushFTP administrative user account. This results in the threat actor having access to the server hosting the CrushFTP application via a malicious scheduled job and RMM tool. 

Once in the server or application, the threat actor can use the job scheduler function to craft a specific request that targets the host system. The threat actor creates a custom job to send a curl request to download an RMM executable known as MeshAgent. The process offers the threat actor a foothold into the internal network. From there, the threat actor can move laterally through the environment, bring in other tools, and eventually move to the ransomware stage of the attack.

Threat actor group KillSecurity announced responsibility for the CrushFTP exploit and claimed to have a significant amount of data. The group presents itself as an open source security group that exploits companies to show them the holes in their security. However, KillSecurity reaches out directly to each company it exploits to discuss the “terms” for secure removal of the information from their leak site. If the company does not agree to the group’s terms, KillSecurity releases the company name and data on the dark web. To date, Pondurance has not had any cases posted there.

Notable vulnerabilities

The number of disclosed vulnerabilities jumped in April as approximately 4,000 vulnerabilities were disclosed. The team expects that number to consistently and steadily increase throughout the year. Fourteen of the 4,000 disclosed vulnerabilities were actively exploited. 

During Microsoft Patch Tuesday in April, 135 reported vulnerabilities were addressed — a large number compared with the 90 vulnerabilities typically reported each month. Of those 135, 11 were critical vulnerabilities, and patches were released for a number of the affected products, including LDAP, Windows Office, Windows TCP/IP, and Hyper-V. The one reported zero day is a privilege elevation vulnerability that impacts the Windows common log file system driver. The team also provided details about vulnerabilities to Ivanti Connect Secure virtual private network (VPN) and WordPress.

Ivanti Connect Secure VPN. This is a stack-based buffer overflow vulnerability that impacts only versions 22.7R2.6 and earlier. China-based group UNC5221 exploited this vulnerability to install Trailblaze and Brushfire malware on the vulnerable systems to allow persistence, data exfiltration, and credential theft. For the exploit, the malware applications copy values from the X-Forwarded-For HTTP header. But since there’s no bounds checking on the fixed buffer to assure that it fits, any information that extends over the buffer and overwrites the memory can cause a problem. The exploit works by manipulating pointers, or addresses in memory, and return values. As a final step, the threat actor invokes the system call and executes code. 

WordPress OttoKit plug-in. This exploit uses two avenues of exploitation. First, an authorization bypass vulnerability allows the threat actor to create administrator accounts on the system and ultimately take over a targeted website. This exploit works because there is a missing or empty value check on the secret key value in the authenticate user function. Second, a privilege escalation vulnerability allows unauthenticated threat actors to establish a connection. With more than 100,000 installations of this plug-in, threat actors can opportunistically scan for any vulnerable WordPress instance they may want to exploit.

In April, Oracle released a critical patch update that addressed 171 unique, common vulnerabilities and exposures across 32 of its product families. Of those 171 vulnerabilities, 14 have been exploited in recent months, and six of them have publicly available proof-of-concept codes available on the internet.

The team also discussed several notable data breaches that were disclosed in April including:

• Yale New Haven Health System. Unauthorized network access led to the loss of patients’ personally identifiable information (PII). The breach was likely a ransomware attack where threat actors exfiltrated data from the network. 

• Cleo managed file transfer. Threat actors stole employee records and confidential business files in this breach that impacted high-profile companies including Hertz and WK Kellogg. 

• VeriSource Services. An unauthorized network access breach led to the loss of employee PII for this leading provider of benefits services.

• Blue Shield of California. In this breach, a Google analytics misconfiguration on Blue Shield websites impacted as many as 4.7 million members.

• Nascar. The Medusa ransomware group stole more than a terrabyte of data including Nascar employee PII, login credentials for IT systems, and information on the layouts of race tracks and physical security information used to secure the facilities.

Focus on SentinelOne EDR vulnerability

Threat actors are constantly seeking out new vulnerabilities to maliciously exploit networks for financial gain. Recently, researchers observed a new technique that allows a threat actor to exploit a vulnerability in SentinelOne’s endpoint detection and response (EDR) agent upgrade process, which results in an unprotected endpoint. The Pondurance team wants to make clients aware of the threat. 

EDR is a standard cybersecurity solution used to constantly monitor endpoint behavior and detect and block threats. SentinelOne EDR technology uses antitamper protection so that only an authorized administrator can disable the protection measure. However, the new technique, known as the Bring Your Own Installer method, allows threat actors to gain local administrative access, bypass the tamper protection feature to disable the EDR agent, and execute Babuk ransomware. 

To execute the attack, the threat actor bypasses the EDR protection using timed termination of the agent update process on an inadequately configured EDR. The team explained in detail how the attack works and discussed countermeasures deployed to detect attempts to downgrade SentinelOne versions. To protect against an attack, the team has enabled online authorization for all clients. Clients that want to make SentinelOne EDR upgrades are encouraged to contact Pondurance via Scope ticket for assistance in performing a proper upgrade.

Alert tuning

Tuning, or making adjustments to improve the accuracy of alerts, can ensure that escalations are relevant for clients. If a client encounters a false positive or prefers not to escalate an alert, it’s important to respond rather than simply close the alert. With a response, the Pondurance team can make appropriate adjustments to deliver only alerts that will be actionable. In addition, disclosing critical assets, such as hosts, IP addresses, networks, VIP lists, and honey tokens, helps the team tweak those tunings to elevate alerts to the proper level.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our security operations center, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.