PRESS RELEASE

Today, CISA released the Cybersecurity Performance Goals Adoption Report to highlight how adoption of Cybersecurity Performance Goals (CPGs) benefits our nation’s critical infrastructure sectors. Originally released in October 2022, CISA’s CPGs are voluntary practices that critical infrastructure owners can take to protect themselves against cyber threats. 

This report is based on analysis of 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service from Aug. 1, 2022, through Aug. 31, 2024. Data reveals that four critical infrastructure sectors are most impacted by CPG adoption: Healthcare and Public Health, Water and Wastewater Systems, Communications, and Government Services and Facilities. These four sectors have strong partnerships with CISA.

As CISA strengthens partnerships across all 16 critical infrastructure sectors, the agency hopes that CPG adoption will continue to expand. CISA urges critical infrastructure to learn more by visiting Cross-Sector Cybersecurity Performance Goals. 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases the Cybersecurity Performance Goals Adoption Report

PRESS RELEASE

HONOLULU, Jan. 08, 2025 (GLOBE NEWSWIRE) -- Krilla Kaleiwahea LLC (K2), a Native Hawaiian Organization leader in defense, technology, resilience, and workforce development for the U.S. federal government, is proud to announce its selection as a prime contractor on the prestigious Navy SeaPort contract. This achievement underscores K2’s commitment to delivering innovative solutions and unparalleled support to the U.S. Navy and its mission-critical operations.

SeaPort NxG, the Navy’s electronic procurement platform, facilitates efficient and streamlined acquisition of professional support services in various functional areas, including engineering, financial management, and program management. As a trusted partner, K2 is now positioned to provide exceptional services across these domains, ensuring the Navy meets its strategic objectives with cutting-edge capabilities.

Driving Innovation and Excellence

“Being awarded the SeaPort contracting vehicle is a testament to K2’s dedication to excellence and our proven track record of supporting the Department of Defense with world-class talent,” said Peter Krilla, Co-Founder of K2. “We are honored to serve the Navy and contribute to its mission by delivering forward-thinking solutions and unmatched expertise.”

With this award, K2 will leverage its deep industry knowledge, advanced technologies, and talented team to address the complex challenges faced by the Navy and its partners. This contract allows K2 to expand its footprint and continue its tradition of excellence in supporting national security initiatives.

About K2

K2 is an 8(a) Native Hawaiian Organization and a leading provider of advanced solutions for the U.S. federal government's defense, technology, resilience, and workforce development sectors. Backed by decades of senior leadership experience in government, military, and corporate, we bring forward-thinking strategies that empower our clients to achieve operational success in the most demanding environments. As a Native Hawaiian Organization, we dedicate a portion of our profits to supporting the Native Hawaiian community. For more information about K2 and its services, visit www.k2-nho.com/

You May Also Like

K2 Secures Navy SeaPort Next Generation Contract

PRESS RELEASE

New York City, January 13, 2025 — Grupo Bimbo Ventures, the venture capital arm of Grupo Bimbo, the world's leading baking company and a significant player in the snack industry, is pleased to announce a strategic investment in NanoLock Security, a global leader in OT cybersecurity and management solutions for industrial manufacturing and critical infrastructure. This investment underscores Grupo Bimbo's commitment to embrace innovation that can benefit global markets and needs.

The food industry plays a critical role in national resilience. However, it has increasingly become a target for cyber threat actors. Food manufacturers manage complex and diverse industrial systems across multiple sites, creating vulnerabilities that threat actors can exploit. The use of third-party contractors for system maintenance and updates further heightens risks if not properly monitored.

NanoLock Security's solutions are designed to protect industrial systems, ensuring the integrity and security of critical operations. Their zero-trust approach provides centralized, global enforcement of security policies across diverse industrial environments. This flexibility is crucial for maintaining the security and operational integrity of manufacturing facilities worldwide.

As a global leader in the baking industry, Grupo Bimbo understands the importance of ensuring uninterrupted production and uphold the highest standards of quality and safety. NanoLock's proven expertise and successful deployments with leading manufacturers in APAC, US, Israel & EU align perfectly with Grupo Bimbo's vision for a secure and resilient future in the food sector.

"We are excited to partner with NanoLock Security and leverage their advanced solutions to enhance food operations worldwide," said Constantino Matouk Iriondo, VP Global Bimbo Ventures. "This investment reflects our dedication to ensuring a safer world, and we are impressed with how NanoLock’s customers, from different sectors, are benefiting from their unique technology and capabilities."

Grupo Bimbo Ventures is a minority shareholder of NanoLock Security, having invested alongside Awz Ventures. Awz Ventures has a proven track record of pioneering multi-use, innovative deep-tech investments. It has led NanoLock’s investment from inception in 2018 through subsequent rounds.

About Grupo Bimbo Ventures

Grupo Bimbo Ventures is the venture capital arm of Grupo Bimbo, the world's leader and largest baking company and a significant player in the snack industry.

About NanoLock Security

NanoLock Security is a global leader in OT cybersecurity and management solutions for industrial manufacturing and critical infrastructure. NanoLock provides comprehensive protection of operational technology environments, ensuring the integrity, resilience and security of critical systems and infrastructure.

You May Also Like

Grupo Bimbo Ventures Announces Investment in NanoLock Security

According to the tech giant, it has observed a threat group seeking out vulnerable customer accounts using generative AI, then creating tools to abuse these services.

Source: MAXSHOT.PL via Shutterstock

NEWS BRIEF

Microsoft's Digital Crimes Unit is pursuing legal action to disrupt cybercriminals who create malicious tools that evade the security guardrails and guidelines of generative AI (GenAI) services to create harmful content.

According to an unsealed complaint in the Eastern District of Virginia, though the company goes to great lengths to create and enhance secure AI products and services, cybercriminals continue to innovate their tactics and bypass security measures.

"With this action, we are sending a clear message: the weaponization of our AI technology by online actors will not be tolerated," said Microsoft in a blog post about the lawsuit.

In the court filings that were unsealed on Jan. 13, Microsoft noted that it had "observed a foreign-based threat-actor group develop sophisticated software that exploited exposed customer credentials scraped from public websites."

The group tried to access accounts with generative AI services in order to alter the capabilities of those services, then resold this unlawful access to other malicious actors, providing instructions on how to use the tools to create harmful content.

Since discovering the group's actions, Microsoft has revoked access and enhanced safeguards to mitigate this kind of activity in the future.

As the company continues to seek out proactive measures it can take alongside legal action, it highlights a report, "Protecting the Public From Abusive AI-Generated Content," that provides recommendations for organizations and governments to protect the public from AI-created threats.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Microsoft Cracks Down on Malicious Copilot AI Use

The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.

Source: Everett Collection Historical via Alamy Stock Photo

Multiple threat actors are actively targeting a recently disclosed maximum-severity security bug in the Aviatrix Controller centralized management platform for cloud networking.

In a worst-case scenario, the vulnerability, identified as CVE-2024-50603 (CVSS 10) could allow an unauthenticated remote adversary to run arbitrary commands on an affected system and take full control of it. Attackers are currently exploiting the flaw to deploy XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.

**CVE-2024-50603: A High-Impact Vulnerability**

The vulnerability presents an especially severe risk in Amazon Web Services (AWS) cloud environments, where Aviatrix Controller allows privilege escalation by default, researchers at Wiz Security warned in a blog on Jan. 10.

"Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed," the researchers noted. "In 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions."

Hundreds of large companies use Aviatrix's technology to manage cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud environments. Common use cases include automating the deployment and management of cloud network infrastructure, and managing security, encryption, and connectivity policies. The company lists organizations such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its customers.

Related:In Appreciation: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 stems from Aviatrix Controller not properly checking or validating the data that users send through its application programming interface (API). It is the latest bug to highlight the security risks tied to the growing use of APIs among organizations of all sizes. Other common API-related risks include those stemming from configuration errors, lack of visibility, and inadequate security testing.

The flaw is present in all supported versions of Aviatrix Controller before 7.2.4996 or 7.1.4191. Aviatrix has issued a patch for the bug and recommends that organizations apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

"In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as 'patched,'" the company noted. One such circumstance is applying the patch on non-supported versions of the controller, Aviatrix said.

**Hackers Mount Opportunistic Cloud Attacks**

Security researcher Jakub Korepta of SecuRing, who discovered and reported the bug to Aviatrix, publicly disclosed details of the flaw on Jan. 7. Just one day later, a proof-of-concept exploit for the bug became available on GitHub, triggering near-immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

"Since the proof-of-concept release, Wiz observed that most of the vulnerable instances were specifically targeted by attackers looking for unpatched Aviatrix deployments," says Alon Schindel, vice president of AI & Threat Research at Wiz. "The overall volume of exploitation attempts has been steady. However, we see customers patching their systems and preventing attackers from targeting them."

Schindel characterizes the exploit activity so far as largely opportunistic in nature, and emanating from scanners and automated tool sets combing the Internet for unpatched Aviatrix instances.

"Although some of the payloads and infrastructure used suggest higher sophistication in a few cases, most of the attempts appear to be broad sweeps rather than highly customized or targeted attacks on specific organizations," he says.

Available telemetry suggests that multiple threat actors, including organized criminal gangs, are leveraging the flaw in various ways. So far at least, there is no evidence pointing to any single group as dominating the exploitation activity, Schindel says. "Depending on the environment's setup, an attacker might exfiltrate sensitive data, access other parts of the cloud or on-prem infrastructure, or disrupt normal operations," he notes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

**A Reminder of API-Based Cyber-Risks**

Ray Kelly, a fellow at Black Duck, says the Aviatrix Controller vulnerability is another reminder of both the growing risks associated with API endpoints and the challenges involved in addressing them. The vulnerability shows how a server can be compromised via a simple Web call to an API, and highlights the need for thorough testing of APIs. But such testing can be daunting, given the size, complexity, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

"One effective approach to mitigating these risks is by establishing clear 'rules of governance' for third-party software," Kelly says. "This includes implementing thorough vetting processes for third-party providers, enforcing consistent security measures, and maintaining continuous monitoring of software performance and vulnerabilities."

Wiz's Schindel says the best recourse for organizations affected by the new Aviatrix bug is to apply the company's patch for it as soon as possible. Organizations that are unable to patch immediately should restrict network access to the Aviatrix Controller via an IP allowlist so only trusted sources can reach it, Schindel advises. They should also monitor logs and system behavior closely for suspicious activity or known exploit indicators, set up alerts for abnormal behavior associated with Aviatrix, and reduce unnecessary lateral movement paths between their cloud identities.

Jessica MacGregor, spokeswoman for Aviatrix says the company issued an emergency patch for the vulnerability back in November 2024 given its potential severity. The security patch applied to all supported releases and also for versions of Aviatrix Controller for which support had ended two years ago. The company also reached out privately to customers via multiple targeted campaigns to make sure affected organizations applied the patch, MacGregor says.

While a significant portion of affected customers have applied the patch and recommended hardening measures, some organizations have not. And it is these customers that are experiencing the current attacks, she notes. "While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions with the permanent fixes," she says.

 MacGregor says Aviatrix wants anyone unable to upgrade or patch their systems to reach out so the company can work with them to harden their configuration based on best practices. "We will also work closely with customers that believe they been exploited to restore their Aviatrix software to a clean state."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw

Threat actors are targeting people searching for pirated or cracked software with fake downloaders that include infostealing malware such as Lumma and Vidar.

Source: Bits and Splits via Shutterstock

Attackers are targeting people interested in pirated and cracked software downloads by abusing YouTube and Google search results.

Researchers from Trend Micro uncovered the activity on the video-sharing platform, on which threat actors are posing as "guides" offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments, where they then include links to fake software downloads that lead to malware, they revealed in a recent blog post.

On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include infostealing malware, the researchers said.

Moreover, the actors "often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware, and make detection and removal more difficult," Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco wrote in the post.

**Evasive & Anti-Detection Built Into the Campaign**

The campaign appears to be similar to one that surfaced about a year ago spreading Lumma Stealer — a malware-as-a-service (MaaS) commonly used to steal sensitive information like passwords and cryptocurrency-wallet data — via weaponized YouTube channels. At the time, the campaign was thought to be ongoing.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to up the ante in terms of the variety of malware being spread and advanced evasion tactics, as well as the addition of malicious Google search results.

The malicious downloads spread by attackers often are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection, the researchers noted.

After infection, the malware lurking in the downloaders collects sensitive data from Web browsers to steal credentials, demonstrating "the serious risks of exposing your personal information by unknowingly downloading fraudulent software," the researchers wrote.

In addition to Lumma, other infostealing malware observed being distributed via fake software downloads on links posted on YouTube include PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, according to the researchers.

Overall, the campaign exploits the trust that people have in platforms such as YouTube and file-sharing services, the researchers wrote; it especially can affect people looking for pirated software who think they are downloading legitimate installers for popular programs, they said.

Related:Russia Carves Out Commercial Surveillance Success Globally

**Shades of a GitHub Campaign**

The thinking behind the campaign also is similar to one recently found abusing GitHub, in which attackers exploited the trust that developers have in the platform to hide the Remcos RAT in GitHub repository comments.

Though the attack vector is different, comments play a big role in spreading malware, the researchers explained. In one attack they observed, a video post purports to be advertising a free "Adobe Lightroom Crack" and includes a comment with a link to the software downloader.

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer, which leads to a download of the malicious file that includes infostealing malware from the Mediafire file hosting site.

Another attack discovered by Trend Micro planted a shortened link to a malicious fake installer file from OpenSea, the NFT marketplace, as the third result in a search for an Autodesk download.

"The entry contains a shortened link that redirects to the actual link," the researchers wrote. "One assumption is that they use shortened links to prevent scraping sites from accessing the download link."

The link prompts the user for the actual download link and the zip file's password, presumably because "password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary," they noted.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

**Protect Your Organization From Malware**

As shown by the threat activity, attackers continue to use social engineering tactics to target victims and apply a variety of methods to avoid security defenses, including: using large installer files, password-protected zip files, connections to legitimate websites, and creating copies of files and renaming them to appear benign, the researchers noted.

To defend against these attacks, organizations should "stay updated on current threats and to remain vigilant regarding detection and alert systems," the researchers wrote. "Visibility is important because solely relying on detection can result in many malicious activities going unnoticed."

Employee training, as security experts often note, also goes a long way in ensuring employees don't fall for socially engineered attacks or try to download pirated software.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

The Hellcat ransomware group has stolen roughly 5,000 documents, potentially containing confidential information, from the telecom giant's internal database.

Source: Photo Art Lucas via Alamy Stock Photo

NEWS BRIEF

Telefonica, the multinational telecommunications company headquartered in Madrid, has confirmed that its internal systems were breached by hackers, leading to the theft of more than 236,000 lines of customer data and close to a half-million Jira tickets.

"We have become aware of unauthorized access to an internal ticketing system," Telefonica said in an emailed statement to media. "We are currently investigating the extent of the incident and have taken the necessary steps to block any unauthorized access."

Four threat actors posted an exfiltrated Jira database on the BreachForums Dark Web hacking community last week, claiming that it contains nearly 470,000 lines of internal ticketing data and more than 5,000 PDFs, Word documents, PowerPoints, and other documents.

Three of the four threat actors in question are believed to be a part of the Hellcat ransomware group.

Hudson Rock, a cybersecurity vendor that claims to have spoken with the threat actors, reported that the perpetrators used infostealer malware to compromise roughly 15 Telefonica employees and gain access to the system via their credentials. 

The vendor says that the breach has exposed 24,000 Telefonica employee emails and names as well as the Jira issues. The stolen documents also likely contain other confidential information.

"The data includes summaries of internal Jira issues, which can reveal sensitive operational details, project plans and vulnerabilities within Telefonica's infrastructure," Hudson Rock warned. "This poses a significant risk as it could be used to map out internal workflows and exploit weaknesses."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Telefonica Breach Exposes Jira Tickets, Customer Data

By focusing on vigilant security practices, responsible AI deployment, and alignment with global regulatory standards, the OSS community can make 2025 a transformative year for security.

Source: Wavebreakmedia Ltd FUS1407 via Alamy Stock Photo

COMMENTARY

As we move into 2025, open source software (OSS) remains central to digital innovation across industries. However, its widespread adoption brings heightened security challenges and evolving regulatory demands. In the coming year, we expect a rise in targeted OSS supply chain attacks, a greater reliance on AI in cybersecurity — with both positive and negative implications — and a stronger push for global regulatory standards promoting responsible OSS practices.

**Growing Threats in the Open Source Supply Chain**

Following incidents like the XZ Utils backdoor, OSS supply chain attacks are expected to increase in frequency and sophistication. These attacks will likely prompt a heightened sense of urgency within organizations as they realize that a single security scan is insufficient. Moving forward, implementing proactive, continuous monitoring and adopting advanced tools will be essential to identifying threats before they can cause damage.

Understanding the growing importance of OSS security, the Open Source Security Foundation (OpenSSF) has taken steps to address these security challenges. As threats evolve, organizations will increasingly rely on resources like OpenSSF's SIREN mailing list, which notifies the OSS community about emerging threats, and the Open Source Vulnerabilities project, which helps identify malicious packages and other vulnerabilities. Tools such as Scorecard and GUAC provide visibility into project dependencies, helping developers assess risk within their OSS components. As the supply chain threat landscape intensifies, adopting these tools as standard practice will be important for any organization that relies on OSS.

**AI as a Double-Edged Sword in Cybersecurity**

AI will continue transforming cybersecurity in 2025, acting as a powerful ally for defenders and a dangerous weapon for attackers. On the one hand, AI integrated into automated tools and continuous integration and continuous delivery(CI/CD) pipelines will help organizations identify coding flaws and vulnerabilities more efficiently. Security teams will also increasingly rely on AI to analyze vast data volumes and detect unusual patterns in real time.

However, attackers will use AI to enhance their tactics, such as refining social engineering techniques or automating the search for vulnerabilities within codebases. Additionally, they will exploit flaws in AI-generated code for malicious purposes. This double-edged sword with AI highlights the urgent need for robust safeguards and security-focused innovation to harness AI's benefits while mitigating its risks.

**A Global Regulatory Push for Open Source Compliance**

The regulatory landscape surrounding OSS security will shift in 2025 as the European Union's Cyber Resilience Act (CRA) takes effect. By requiring software bills of materials (SBOM) and setting compliance standards, the CRA is expected to establish a global precedent, influencing nations like Japan, India, and the US to adopt similar legislation.

This regulatory shift will likely push more organizations to reassess their OSS practices, prioritizing transparency and accountability. As compliance pressures mount, companies will increasingly contribute to the open source projects they depend on, recognizing that supporting the OSS community bolsters the security and resilience of their digital ecosystems. This collaboration will enhance security and foster sustainable growth in the OSS landscape.

**Opportunities and Strategies for Open Source Security**

While these trends present clear challenges, companies can proactively strengthen OSS security. Businesses need to understand their dependencies and implement proactive measures to secure OSS components. Simple measures — such as supporting the developers behind critical open source projects and investing in secure infrastructure — can make a significant impact.

Most OSS developers are highly skilled but may lack specialized training in cybersecurity practices. OpenSSF aims to bridge this gap by offering tools and training that help embed security into the development process. Companies that adopt OSS due diligence, such as reviewing a project's security practices before integrating it, are better positioned to avoid vulnerabilities and maintain a secure infrastructure.

**Looking Ahead: A Collaborative Approach to Open Source Security**

OSS has grown beyond a convenient tool for developers — it is now a critical component of the global economy, valued in the trillions of dollars. While it will remain a driving force for technological progress, security must be a priority. Companies, governments, and the OSS community must work together to ensure a sustainable, secure, open source ecosystem.

Focusing on vigilant security practices, responsible AI deployment, and alignment with global regulatory standards, the OSS community can make 2025 a transformative year for security. By prioritizing collaboration and investment in security initiatives, we can build a resilient open source future in which OSS continues to power innovation safely and sustainably.

**About the Author**

Chief Security Architect, Open Source Security Foundation

Christopher Robinson (aka CRob) is the chief security architect for the Open Source Software Foundation (OpenSSF). With more than 25 years of experience in engineering and leadership, he has worked with Fortune 500 companies in industries like finance, healthcare, and manufacturing, and spent six years as program architect for Red Hat’s product security team.

The Shifting Landscape of Open Source Security

New year, same story. Despite Ivanti's commitment to secure-by-design principles, threat actors — possibly the same ones as before — are exploiting its edge devices for the nth time.

Source: Lobro via Alamy Stock Photo

A Chinese threat actor is once again exploiting Ivanti remote access devices at large.

If you had a nickel for every high-profile vulnerability affecting Ivanti appliances last year, you'd have a lot of nickels. There was the critical authentication bypass in its Virtual Traffic Manager (vTM), the SQL injection bug in its Endpoint Manager, a trio affecting its Cloud Services Appliance (CSA), critical issues with its Standalone Sentry and Neurons for IT Service Management (ITSM), plus dozens more.

It all started last January, when two serious vulnerabilities were discovered in Ivanti's Connect Secure (ICS) and Policy Secure gateways. By the time of disclosure, the vulnerabilities were already being exploited by a suspected Chinese-nexus threat actor, UNC5337, believed to be an entity of UNC5221.

Now, one year and one secure-by-design pledge later, threat actors have returned to haunt Ivanti all over again, via a new critical vulnerability in ICS which also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti has further warned of a second, slightly less severe bug that hasn't been observed in exploits yet.

"Just because we're seeing these often doesn't necessarily mean that they're easy to pull off — it's a highly sophisticated group that is doing this," Arctic Wolf CISO Adam Marrè points out, in defense of the downtrodden IT vendor. "Engineering is not easy, and secure engineering is even more difficult. So even though you may be following the principles of secure-by-design, that doesn't mean that someone isn't going to be able to come along and either with new technologies, or new techniques, and enough time and resources, hack in."

Related:New AI Challenges Will Test CISOs & Their Teams in 2025

**2 More Security Bugs in Ivanti Devices**

As yet unexploited (as far as researchers can tell) is CVE-2025-0283, a buffer overflow opportunity in ICS versions prior to 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. The "high" severity 7.0 out of 10-rated issue in the Common Vulnerability Scoring System (CVSS) could enable an attacker to escalate their privileges on a targeted device, but requires them to be authenticated first.

CVE-2025-0282 — rated a "critical" 9.0 in CVSS — does not come with that same caveat, allowing for code execution as root with no authentication required. Ivanti disclosed few details regarding the exact cause of the issue, but researchers from watchTowr were able to successfully reverse engineer an exploit after comparing ICS's patched and unpatched versions.

Related:Best Practices & Risks Considerations in LCNC and RPA Automation

According to Mandiant, a threat actor began exploiting CVE-2025-0282 in mid-December, deploying the same "Spawn" family of malware tied to UNC5337 exploits of previous Ivanti bugs. Those tools include:

*   The SpawnAnt installer, which drops its malware colleagues and persists through system upgrades
    
*   SpawnMole, which facilitates back-and-forth communications with attacker infrastructure
    
*   SpawnSnail, a passive secure shell (SSH) backdoor
    
*   SpawnSloth, which tampers with logs to conceal evidence of malicious activity
    

"The threat actor's malware families demonstrate significant knowledge of the Ivanti Connect Secure appliance," says Mandiant senior consultant Matt Lin. In fact, besides UNC5337 and its spawn, researchers also observed two more unrelated but equally bespoke malware deployed to infected devices. One — DryHook, a Python script — is designed to steal user credentials off targeted devices.

The other, PhaseJam, is a bash shell script that enables remote and arbitrary command execution. Most creative, though, is its ability to maintain persistence through sleight of hand. If an administrator attempts to upgrade their device — a process that would unseat PhaseJam — the malware will instead show them a fake progress bar that simulates each of the 13 steps one might expect in a legitimate update. Meanwhile, in the background, it prevents the legitimate update from running, thereby ensuring that it lives another day.

Related:Cybercriminals Don't Care About National Cyber Policy

DryHook and PhaseJam might have been the work of UNC5337, Mandiant noted, or another threat actor altogether.

**Time to Update**

Data from The ShadowServer Foundation suggests that north of 2,000 ICS instances could be vulnerable at the time of writing, with the greatest concentration in the US, France, and Spain.

Source: The Shadowserver Foundation

Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have published instructions for mitigating CVE-2025-0282, emphasizing that network defenders should run Ivanti's built-in Integrity Checker Tool (ICT) to seek out infections, and implement patches immediately.

"We have released a patch addressing vulnerabilities related to Ivanti Connect Secure," an Ivanti spokesperson tells Dark Reading. "There has been limited exploitation of one of the vulnerabilities and we are actively working with affected customers. Ivanti’s ICT has been effective in identifying compromise related to this vulnerability. Threat actor exploitation was identified by the ICT on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix. We strongly advise customers to closely monitor their internal and external ICT as part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure."

It may be worth noting that unlike ICS, Policy Secure and ZTA gateways won't be receiving their patches until Jan. 21. In its security advisory, Ivanti stated that ZTA gateways "cannot be exploited when in production," and that Policy Secure is designed to not be Internet-facing, reducing the risk of exploitation via CVE-2025-0282 or similar vulnerabilities.

"It's important that administrators here are doing the right things," Marrè says, noting, "That may result in some downtime, which can be disruptive for organizations, which can lead to them putting it off, or not fixing it as thoroughly and as well as they should."

Lin adds, "We’ve observed organizations that have historically acted promptly in response to these threats did not experience the same negative impacts when compared to organizations that failed to do the same." He also acknowledges, "All the swirl that takes place in the background once one of these patches is announced.

"Security teams across orgs have to scramble to not just patch, but also understand whether they’re vulnerable, and if so, do they only need to patch, or have they already been breached? And if they have been breached, that starts another incident response, which creates massive workflows across companies around the world. It’s important to not lose sight of the toil and exhaustion that defenders go through when assessing these scenarios and not be hyper critical of their initial reaction times."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Threat Actors Exploit a Critical Ivanti RCE Bug, Again

Cybercriminals are luring victims into downloading the XMRig cryptomining malware via convincing emails, inviting them to schedule fake interviews using a malicious link.

Source: ImageBroker.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

Cybercriminals have picked up a new tactic, impersonating CrowdStrike recruiters in order to distribute a cryptominer on their victims' devices.

This malicious campaign starts with an email, inviting the victim to schedule an interview with a recruiter for a position as a junior developer.

The illegitimate email contains a link, alleging that it will take the recipient to a site so they can schedule their interview, but in reality, takes the victim to a malicious website containing links to download a purported "CRM application."

"While interview and job-related phishing emails are not uncommon, this is a very targeted campaign that goes beyond the vast majority of malicious campaigns we see with this theme," said Chance Caldwell, senior director of the Phishing Defense Center at Cofense, in an emailed statement. "The campaign uses URLs that were created to look like they might actually belong to CrowdStrike, and the downloaded malware provides a pop-up that directs users to the real CrowdStrike support portal. Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike."

**Malicious Recruiter Lures Target Both Windows & Mac**

The site offers options for both Windows and macOS, and regardless of which option the victim chooses, once selected, it will download a Windows executable written in Rust. The executable will then download the cryptominer XMRig.

The executable runs several environmental checks to analyze the device and evade detection, such as scanning the running processes, verifying the CPU, and more.

If the checks are passed, the executable will display a false error message pop-up for the user, while downloading additional payloads needed to run the XMRig miner.

CrowdStrike, which identified the campaign just days ago, is warning job seekers to be vigilant, as this is not the only scam involving fake employment offers that's circulating out there.

It recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview, and it stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting \[email protected\].

"It is very unlikely that a recruiter will direct someone to download an executable as part of the interview process," Caldwell noted. "Any suspicious requests, such as this one, should be sufficiently verified before downloading anything, and contact information should be verified through the legitimate company website."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Source

DARKReading