SUMMARY Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and…

****SUMMARY****

*   **Indictment Filed:** Three Russian nationals have been indicted for operating cryptocurrency mixers Blender.io and Sinbad.io, used to launder cybercrime proceeds.

*   **Criminal Links:** The mixers allegedly facilitated laundering for the Lazarus Group, a North Korean hacking organization, including $20.5M stolen from Axie Infinity.

*   **Arrests Made:** Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik were arrested in December 2024; a third suspect, Anton Vyachlavovich Tarasov, remains at large.

*   **Charges:** The defendants face conspiracy to commit money laundering and operating an unlicensed money-transmitting business, with potential 20-year prison sentences.

*   **Global Effort:** The case highlights international collaboration to combat cybercrime and hold cryptocurrency laundering facilitators accountable.

Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and Sinbad.io, used to launder money from cybercrimes. The indictment, filed on January 7 in the Northern District of Georgia, targets Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik, who were arrested in December 2024. A third suspect, Anton Vyachlavovich Tarasov, remains at large.

For your information, in November 2023, the US Treasury sanctioned Sinbad.io and seized its domain for providing its services to the North Korean Lazarus group to launder money stolen from numerous data breaches. On the other hand, the Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned Blender.io for assisting the Lazarus Group in laundering millions of dollars worth of cryptocurrency stolen from the crypto-based game Axie Infinity back in July 2022.

Blender.io and Sinbad.io domains (Credit: Hackread.com)

****What are Cryptocurrency Mixers?****

Imagine trying to wash dirty money. In the physical world, criminals might use shell companies or complex transactions to make it hard to trace where the money came from. Cryptocurrency mixers do something similar in the digital world. They take cryptocurrency from multiple users, mix it all, and then send it out to the intended recipients. This process makes it very difficult to follow the money trail and connect the source of the funds to the final destination.

****The Allegations****

According to the indictment, Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov operated Blender.io from around 2018 to 2022. The service promised complete anonymity, claiming a “No Logs Policy” and deleting all user transaction data. When Blender.io was shut down, Sinbad.io quickly took its place, offering similar services.

****Arrests and Charges****

Ostapenko and Oleynik were arrested on December 1, 2024. Tarasov is still being sought by authorities. The men are charged with conspiracy to commit money laundering and operating an unlicensed money-transmitting business. If found guilty, they could face up to 20 years in prison.

“This case shows the power of working together across borders to fight cybercrime,” said an FBI spokesperson in a DoJ press release. Authorities are determined to hold those who facilitate online criminal activity accountable.

1.  Crypto tumbler BestMixer.io seized for money laundering
2.  US Sanctions Chinese Cybersecurity Firm for Firewall Exploit
3.  U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks
4.  US Sanctions Intellexa Spyware Over Threat to National Security
5.  China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks

3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers

Behind the scenes, companies and governments are feeding a trove of data about international travelers into opaque AI tools that aim to predict who’s safe—and who’s a threat.

Inside the Black Box of Predictive Travel Surveillance

With the advent of virtual reality, everyone got scared that the life we ​​know will disappear, and only…

With the advent of **virtual reality**, everyone got scared that the life we ​​know will disappear, and only those who understand new technologies will be able to find work. Remember what they said about newspapers. And about television. Radio. It seems likely that the same will play out in real life. Just consider what’s already unfolding in virtual reality, within metaverses like Fortnite, Roblox, Holiverse, and Decentraland.

****What does the “reality disappearance” mean?****

The disappearance of reality in the context of the popularity of the **metaverse** does not mean the disappearance of the physical world. It is rather a transformation of our perception and the usage of the real world. Here is how such transformation can happen. 

****Psychological disappearancе****

Let’s start with a simple example. Remember how, as children, we used to play the console for hours, forgetting about lunch? Or look at your children. How many times do you have to say it before they finally sit at the table? Now imagine this feeling, but taken to a new level, where the virtual world feels more interesting and important than the real one.

But haven’t you noticed that we’ve been living this way for the past ten years? Tinder, Facebook, Instagram, and TikTok are gradually consuming several hours of our time every day.

Here’s an example of how a man psychologically disappears in a game. There is a character in World of Warcraft. In virtual reality, this person is a hero, an idol who is looked up to. And what about real life?

There is an ordinary office worker in glasses in a cool unit, whom sometimes even the cleaning lady does not notice. Where would this person be more comfortable? Of course, where he or she is a role model. It’s like choosing what to have for tea: a sweet cake with thick whipping cream or sauerkraut. Well, obviously, in terms of psychology, the man will choose the virtual world in the given situation.

Now imagine that all your communication, work, and even cultural events have shifted to the digital world, the metaverse. Without leaving home, you arrange business meetings, go to concerts, and have fun with friends. It seems like science fiction but it is already a reality.

Travis Scott has collected 12 million viewers in Fortnite. Why go to a real stadium if you can go to a popular rapper’s concert without leaving your home? And without being afraid of a crowd of fans or risking being trampled. Convenient, right?

More and more people understand that there is no point in wasting time in traffic jams if you can solve everything online. And this is just the beginning.

****Economic disappearancе****

Now imagine that money also goes into the virtual world. No, it’s not just about cryptocurrency. People buy virtual land for millions of dollars, sew clothes for avatars, and collect NFTs, like previous stamps or coins.

Here’s an example. Someone bought a Gucci bag in Roblox for $4,000. Although it cost more than in real life, it was still bought. For some, this bag is a way to show status, even in the game.

****Land in Decentraland, avatars in Holiverse and turning tеxt into vidео** **

If you look closely, the “disappearance of reality” has already begun. The only thing is that it’s not as bright as in science fiction movies. We do not connect wires to our heads to get into the virtual world, but, it looks like, we are gradually disappearing there. 

****People buy plots of virtual land for millions of dollars and hope****

For example, in 2021, someone bought a plot of land in Decentraland for $2 million. This is virtual land, you can’t even touch it! Tomorrow the server will burn out, the Internet will be turned off, and no one will remember it. However, for such people, this is not a game, but an investment. They believe that tomorrow virtual real estate will become even more valuable.

The same thing with clothes, which we love to buy in reality. Now imagine that you are buying not a jacket or sneakers, but a skin for your avatar. You do not understand why, but thousands of people around the world do this. In games like Fortnite or Holiverse, this is completely normal because people pursue their own goals there.

For the buyer, this is a matter of status. Because this bag makes his avatar authentic. And that’s cool.

Why is this cool? Here’s an example. A virtual character under the nickname Lil Мiquelа lives only on the Internet. In reality, no one fully understands how she appeared.

Although Miquela does not exist in real life, millions of subscribers follow her on Instagram. She advertises brands, stars in campaigns, and even releases music. Her creators earn millions, and for subscribers, she is “more than real.”

**Holiverse: аvatar as a digital twin**

Just imagine: you take a sample of your DNA at home, and within a couple of days, you receive a digital copy of yourself, an avatar that lives in a virtual world, mimics your behaviour, and adapts to reflect any changes. This avatar does not just copy your body, it knows exactly how your body will react to different physical loads, food products and even cosmetics. This concept is being developed by the **Holiverse** startup, led by Lado Okhotnikov.

The idea looks fresh. Instead of wasting time and money on trying different medicines, you can use your virtual double. For example, you can:

*   find out how your physical condition will change if you add new workouts;
*   try which products will improve your life and which ones you better exclude;
*   test supplements or medicine that you are planning to take.

Lado Okhotnikov and his team emphasize user accessibility. To create a digital copy, you just need to take a DNA test at home, using a test kit that can be purchased at a pharmacy near your home or on a marketplace. Then you will need to send this sample to the lab, and after a short period, you will receive an exact copy of yourself: an avatar that can predict your body’s reactions with incredible accuracy.

The main advantage of Holiverse is the cost of the service. Lado Okhotnikov aims to make this technology available to everyone, turning personalized medicine from luxury into a necessity.

**Luma: turns text into video**

**Luma AI** presented Dream Machine; a service that “brings the text to life.” In terms of quality, the neural network is almost as good as Sora, one of the most powerful generative models. But this startup has a big advantage; Dream Machine is available to everyone. The neural network works on a new architecture and is already bypassing competitors like Runway Gen-2 or Pika. The video is realistic: without jerks, and the characters look natural and are not distorted.

Although the videos are short, a year ago this was considered science fiction. In a year or two, the service may be able to offer something truly significant. For example, tools for generating full-fledged virtual worlds.

Who knows, maybe in a few years we will be able to design entire virtual cities at home in a couple of minutes, simply by describing them in words. Or turn our ideas into animated films available to a million audience in metaverses.

****And what’s next?****

Being scared of technology is the same as trying to stop progress. However, even with the advent of that very virtual reality which everyone is talking about, real life will not go anywhere. You will still go to stores, equipment will still break down, and someone will still come to fix it. The virtual world can captivate, but it will not replace everything. It will not be possible to give up reality quickly and painlessly.

1.  **What is the Fediverse?**
2.  **Google Wants to Put Our Memories in a Database**
3.  **What Is Programmatic Advertising And How To Use It**
4.  **Microsoft patent reveals chatbot to talk to dead people**
5.  **What is Blockchain Gaming and its Play-to-Earn Model?**

The Metaverse Will Become More Popular Than the Real World: Will Reality Disappear?

SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s recruiters to distribute a…

****SUMMARY****

*   **Phishing Scam Targets Job Seekers: Cybercriminals impersonate CrowdStrike recruiters to distribute cryptominer malware via fake job offers.**

*   **Malware Delivery: Victims are tricked into downloading a malicious app from a fake CrowdStrike website, and installing XMRig to mine Monero cryptocurrency.**

*   **Evasion Tactics: The malware limits CPU usage, scans for security tools, and uses startup scripts to remain undetected and persistent.**

*   **Rising Fake Job Scams: Similar tactics are increasingly common, with groups like Lazarus using fake job offers to deploy malware.**

*   **Safety Tips: Verify job offers through official channels, avoid unsolicited software downloads, and use endpoint protection to detect threats.**

Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s recruiters to distribute a cryptominer on unsuspecting job seekers’ devices. This malicious scheme leverages the allure of employment at a reputable cybersecurity firm to trick victims into downloading malware.

According to CrowdStrike’s blog post, the attack was detected on 7 January 2025 and began with a phishing email that appears to be part of CrowdStrike’s recruitment process. The email entices the target with the prospect of a junior developer interview and provides a link to schedule the meeting. Clicking the link directs the victim to a cleverly designed imposter website that mimics CrowdStrike’s branding.

This deceptive website offers downloadable “employee CRM applications” for both Windows and macOS users. Regardless of the chosen platform, downloading the application triggers the installation of a malicious Windows executable written in Rust. This executable acts as a downloader for XMRig, a well-known cryptominer, which starts mining Monero cryptocurrency. This privacy coin is a popular choice for cybercriminals because it is hard to trace.

The screenshot shows the malicious phishing site containing download links for the fake CRM application (Via CrowdStrike)

The executable is designed to evade detection by scanning the system’s processes for malware analysis tools or virtualization software, verifying the presence of at least two CPU cores, and checking for debuggers. If successful, it displays a fake error message to lull the victim into a false sense of security, while downloading additional payloads to establish persistence on the infected device and initiate the XMRig cryptomining process.

However, in this attack, XMRig’s power consumption has been limited to 10% to avoid detection. Moreover, attackers added a batch script in the Start Menu Startup directory to ensure it runs on boot. 

For your information, cryptominers are a type of malware that surreptitiously hijack a computer’s processing power to mine cryptocurrency for the attacker’s benefit. This unauthorized use of resources can cause the device to overheat, potentially leading to hardware damage and a shortened lifespan.

This isn’t a new trend, as fake job scams are becoming more prevalent online, with North Korean group Lazarus persistently using this method to trick unsuspecting users. Hackread recently reported Lazarus group deploying a new macOS trojan called “RustyAttr” since May 2024 to carry out its operations undetected.

Remember, legitimate recruiters rarely request candidates to download software or conduct interviews through unconventional channels. Always verify the authenticity of any job offer before proceeding and rely on official company websites for career opportunities and application processes.

CrowdStrike advises job seekers to be cautious of unsolicited interview offers, including those conducted via instant messaging or group chat, requests for product purchases or payment processing, and software download requirements. 

> _“Organizations can reduce the risk of such attacks by educating employees on phishing tactics, monitoring for suspicious network traffic and employing endpoint protection solutions to detect and block malicious activity.”_
> 
> CrowdStrike

To verify the legitimacy of any communication from CrowdStrike, job seekers should contact the company’s recruiting team at \[email protected\].

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
3.  **U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks**
4.  **Cybersecurity Firm KnowBe4 Hired North Korean Hacker as IT Pro**
5.  **Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials**

Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails

A fake proof-of-concept (PoC) exploit designed to lure cybersecurity researchers into downloading malicious software. This deceptive tactic leverages a recently patched critical vulnerability in Microsoft's Windows LDAP service (CVE-2024-49113), which can cause denial-of-service attacks.

****SUMMARY****

*   **Fake PoC Exploit for CVE-2024-49113**: A malicious exploit, “LDAPNightmare,” targets researchers by disguising it as a PoC for a patched Windows LDAP vulnerability.

*   **Data Theft**: The malware steals computer and network information, sending it to attackers’ servers.

*   **Sophisticated Attack**: A fake repository mimics a legitimate one, using malicious files and scripts to deploy the malware.

*   **High-Profile Target**: Attackers aim to compromise security researchers for valuable intelligence.

*   **Precautions**: Researchers should verify repository authenticity, prioritize official sources, and check for suspicious activity.

According to the latest research from Trend Micro, a fake Proof-of-Concept (PoC) exploit has been identified for CVE-2024-49113, a denial-of-service (DoS) vulnerability previously found in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP). Both vulnerabilities were originally identified by Safebreach.

The attackers have set up a malicious repository containing the fake PoC, leading to the exfiltration of sensitive computer and network information. This attack, known as LDAPNightmare, is designed to lure security researchers into downloading and executing information-stealing malware.

Repository containing “poc.exe” (Via Trendmicro)

When unsuspecting researchers download/execute this harmless-looking code, they inadvertently unleash an information-stealing malware. This malware stealthily collects sensitive data from the infected machine, including computer information, running processes, network details, and installed updates. It then transmits this stolen data to a remote server controlled by the attackers.

The attackers have employed a sophisticated technique to deliver the malware. The malicious repository appears to be a legitimate fork of an original repository, making it difficult to immediately identify as malicious.

The genuine Python files in the repository have been replaced with a malicious executable, which, upon execution, drops and executes a PowerShell script. This script then establishes a scheduled task that downloads and executes another malicious script from Pastebin. This final script collects the victim’s public IP address and exfiltrates stolen data to an external FTP server.

It is worth noting that the vulnerability was addressed in Microsoft’s December 2024 Patch Tuesday release, which addressed two other critical vulnerabilities in LDAP. The first, CVE-2024-49112, is a remote code execution bug that attackers can exploit by sending specially crafted LDAP requests. The second, CVE-2024-49113, is a DoS vulnerability that can be exploited to crash the LDAP service, causing service disruptions. 

For your information, PoC exploits are non-harmful attacks that reveal software security weaknesses, aiding companies in patching vulnerabilities. However, if used incorrectly, PoCs can provide attackers with a blueprint for exploiting a system before users can install fixes, potentially causing harm.

This attack method, as per Trendmicro’s report, while not entirely novel, threatens the cybersecurity community because by exploiting a high-profile vulnerability and targeting security researchers – individuals who are often highly aware of security threats – attackers can gain valuable intelligence and potentially compromise critical security systems.

Therefore, security researchers should be cautious when downloading and executing code from online repositories. They should prioritize official sources, scrutinize repositories for suspicious content, and verify the authenticity of the repository owner or organization.

Moreover, it is essential to consider community feedback for repositories with minimal activity and look for red flags within the repository that may indicate potential security risks. This will help them stay protected from potential threats and ensure their security.

1.  Hackers Use Fake PoCs on GitHub to Steal AWS Keys
2.  Warning: Fake GitHub Repos Delivering Malware as PoCs
3.  Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
4.  How to Conduct a Cybersecurity Proof of Concept with a Vendor
5.  Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation

Fake PoC Exploit Targets Cybersecurity Researchers with Malware

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability. ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations. On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing […]

**About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability.** ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations.

On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing unauthenticated attackers to install and activate plugins from the WordPressOrg repository. The exploit has been on GitHub since December 28.

This way, attackers can install plugins that contain additional vulnerabilities. 👾 In the incident analyzed by WPScan, the attackers installed the WP Query Console plugin with RCE vulnerability CVE‑2024‑50498 on the website and exploited it to install a backdoor.

If you use WordPress, try to minimize the number of plugins and update them regularly!

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability

Microsoft has revealed that it's pursuing legal action against a "foreign-based threat–actor group" for operating a hacking-as-a-service infrastructure to intentionally get around the safety controls of its generative artificial intelligence (AI) services and produce offensive and harmful content.
The tech giant's Digital Crimes Unit (DCU) said it has observed the threat actors "develop

Microsoft Sues Hacking Group Exploiting Azure AI for Harmful Content Creation

New year, same story. Despite Ivanti's commitment to secure-by-design principles, threat actors — possibly the same ones as before — are exploiting its edge devices for the nth time.

Source: Lobro via Alamy Stock Photo

A Chinese threat actor is once again exploiting Ivanti remote access devices at large.

If you had a nickel for every high-profile vulnerability affecting Ivanti appliances last year, you'd have a lot of nickels. There was the critical authentication bypass in its Virtual Traffic Manager (vTM), the SQL injection bug in its Endpoint Manager, a trio affecting its Cloud Services Appliance (CSA), critical issues with its Standalone Sentry and Neurons for IT Service Management (ITSM), plus dozens more.

It all started last January, when two serious vulnerabilities were discovered in Ivanti's Connect Secure (ICS) and Policy Secure gateways. By the time of disclosure, the vulnerabilities were already being exploited by a suspected Chinese-nexus threat actor, UNC5337, believed to be an entity of UNC5221.

Now, one year and one secure-by-design pledge later, threat actors have returned to haunt Ivanti all over again, via a new critical vulnerability in ICS which also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti has further warned of a second, slightly less severe bug that hasn't been observed in exploits yet.

"Just because we're seeing these often doesn't necessarily mean that they're easy to pull off — it's a highly sophisticated group that is doing this," Arctic Wolf CISO Adam Marrè points out, in defense of the downtrodden IT vendor. "Engineering is not easy, and secure engineering is even more difficult. So even though you may be following the principles of secure-by-design, that doesn't mean that someone isn't going to be able to come along and either with new technologies, or new techniques, and enough time and resources, hack in."

Related:New AI Challenges Will Test CISOs & Their Teams in 2025

**2 More Security Bugs in Ivanti Devices**

As yet unexploited (as far as researchers can tell) is CVE-2025-0283, a buffer overflow opportunity in ICS versions prior to 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. The "high" severity 7.0 out of 10-rated issue in the Common Vulnerability Scoring System (CVSS) could enable an attacker to escalate their privileges on a targeted device, but requires them to be authenticated first.

CVE-2025-0282 — rated a "critical" 9.0 in CVSS — does not come with that same caveat, allowing for code execution as root with no authentication required. Ivanti disclosed few details regarding the exact cause of the issue, but researchers from watchTowr were able to successfully reverse engineer an exploit after comparing ICS's patched and unpatched versions.

Related:Best Practices & Risks Considerations in LCNC and RPA Automation

According to Mandiant, a threat actor began exploiting CVE-2025-0282 in mid-December, deploying the same "Spawn" family of malware tied to UNC5337 exploits of previous Ivanti bugs. Those tools include:

*   The SpawnAnt installer, which drops its malware colleagues and persists through system upgrades
    
*   SpawnMole, which facilitates back-and-forth communications with attacker infrastructure
    
*   SpawnSnail, a passive secure shell (SSH) backdoor
    
*   SpawnSloth, which tampers with logs to conceal evidence of malicious activity
    

"The threat actor's malware families demonstrate significant knowledge of the Ivanti Connect Secure appliance," says Mandiant senior consultant Matt Lin. In fact, besides UNC5337 and its spawn, researchers also observed two more unrelated but equally bespoke malware deployed to infected devices. One — DryHook, a Python script — is designed to steal user credentials off targeted devices.

The other, PhaseJam, is a bash shell script that enables remote and arbitrary command execution. Most creative, though, is its ability to maintain persistence through sleight of hand. If an administrator attempts to upgrade their device — a process that would unseat PhaseJam — the malware will instead show them a fake progress bar that simulates each of the 13 steps one might expect in a legitimate update. Meanwhile, in the background, it prevents the legitimate update from running, thereby ensuring that it lives another day.

Related:Cybercriminals Don't Care About National Cyber Policy

DryHook and PhaseJam might have been the work of UNC5337, Mandiant noted, or another threat actor altogether.

**Time to Update**

Data from The ShadowServer Foundation suggests that north of 2,000 ICS instances could be vulnerable at the time of writing, with the greatest concentration in the US, France, and Spain.

Source: The Shadowserver Foundation

Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have published instructions for mitigating CVE-2025-0282, emphasizing that network defenders should run Ivanti's built-in Integrity Checker Tool (ICT) to seek out infections, and implement patches immediately.

"We have released a patch addressing vulnerabilities related to Ivanti Connect Secure," an Ivanti spokesperson tells Dark Reading. "There has been limited exploitation of one of the vulnerabilities and we are actively working with affected customers. Ivanti’s ICT has been effective in identifying compromise related to this vulnerability. Threat actor exploitation was identified by the ICT on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix. We strongly advise customers to closely monitor their internal and external ICT as part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure."

It may be worth noting that unlike ICS, Policy Secure and ZTA gateways won't be receiving their patches until Jan. 21. In its security advisory, Ivanti stated that ZTA gateways "cannot be exploited when in production," and that Policy Secure is designed to not be Internet-facing, reducing the risk of exploitation via CVE-2025-0282 or similar vulnerabilities.

"It's important that administrators here are doing the right things," Marrè says, noting, "That may result in some downtime, which can be disruptive for organizations, which can lead to them putting it off, or not fixing it as thoroughly and as well as they should."

Lin adds, "We’ve observed organizations that have historically acted promptly in response to these threats did not experience the same negative impacts when compared to organizations that failed to do the same." He also acknowledges, "All the swirl that takes place in the background once one of these patches is announced.

"Security teams across orgs have to scramble to not just patch, but also understand whether they’re vulnerable, and if so, do they only need to patch, or have they already been breached? And if they have been breached, that starts another incident response, which creates massive workflows across companies around the world. It’s important to not lose sight of the toil and exhaustion that defenders go through when assessing these scenarios and not be hyper critical of their initial reaction times."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Threat Actors Exploit a Critical Ivanti RCE Bug, Again

Ivanti has issued a critical security advisory addressing two vulnerabilities in its Connect Secure, Policy Secure, and ZTA Gateway products.

****SUMMARY****

*   **Critical Vulnerabilities Identified**: Ivanti has disclosed two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Connect Secure, Policy Secure, and ZTA Gateways, with CVE-2025-0282 already being actively exploited.

*   **Impact of Vulnerabilities**: CVE-2025-0282 allows unauthenticated remote attackers to execute arbitrary code, potentially gaining full control of affected systems. CVE-2025-0283 enables local authenticated attackers to escalate privileges, posing significant security risks.

*   **Patch Availability**: Ivanti has released a patch for Connect Secure (version 22.7R2.5) addressing both vulnerabilities. Patches for Policy Secure and ZTA Gateways are expected by January 21, 2025.

*   **Recommended Actions**: Ivanti advises organizations to immediately patch Connect Secure systems, isolate vulnerable Policy Secure and ZTA Gateways, and monitor systems closely using tools like the Integrity Checker Tool (ICT).

*   **Expert Warning**: Experts highlight the urgency of patching and maintaining heightened vigilance against potential cyberattacks, citing past incidents like the Akira breach as reminders of the risks involved.

Ivanti has raised concerns about two remotely exploitable vulnerabilities in its enterprise-facing products, with one bug already being exploited in the wild.

According to Ivanti’s security advisory, the company has addressed two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways.

CVE-2025-0282, the more critical of the two, is a stack-based buffer overflow vulnerability in Ivanti Connect Secure. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems. Essentially, attackers can remotely compromise the system without any prior knowledge or credentials, potentially gaining complete control over the affected appliance.

CVE-2025-0283, while still a high-severity vulnerability, is less critical. This vulnerability, also a stack-based buffer overflow, allows local authenticated attackers to escalate their privileges on the system. This means that an attacker who already has legitimate access to the system can exploit this vulnerability to gain higher-level privileges, potentially compromising sensitive data or disrupting critical operations.

Ivanti has released a patch for Connect Secure (version 22.7R2.5), addressing both vulnerabilities. However, patches for Policy Secure and ZTA Gateways are not yet available and are scheduled for release on January 21st, 2025.

Given the active exploitation of CVE-2025-0282, Ivanti strongly urges organizations to prioritize patching their Connect Secure appliances immediately. For Policy Secure and ZTA Gateways, proactive measures such as temporarily isolating affected systems are recommended until the patches become available.

To mitigate the risks associated with these vulnerabilities, Ivanti recommends applying the latest patches as soon as they become available. For Connect Secure, upgrading to version 22.7R2.5 is suggested. Moreover, closely monitoring systems using the Integrity Checker Tool (ICT) and other security monitoring tools is essential to detect any signs of compromise.

In addition, the company recommends Policy Secure and ZTA Gateways users consider isolating affected systems from the network until the patches are applied. Organizations utilizing Ivanti products should prioritize implementing these recommendations to mitigate the risks associated with these vulnerabilities.

Martin Jartelius, CISO at Outpost24 commented on the latest development urging impacted parties to immediately install patches. “Last time we had an Ivanti zero-day exploitation, the attackers shifted to their active/destructive phase as the patch became available, so anyone impacted should firstly patch at once, and secondly, review their readiness in incident response and keep extra eyes on their monitoring for the near future._“_

1.  **Hackers Target Ivanti Users Despite Patches**
2.  **Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks**
3.  **Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware**
4.  **Magnet Goblin Hackers Using Ivanti Flaws to Drop Linux Malware**
5.  **Dell Urges Immediate Update to Fix Power Manager Vulnerability**

Ivanti Urges Patch for Flaws in Connect Secure, Policy Secure and ZTA Gateways

Cybercriminals are luring victims into downloading the XMRig cryptomining malware via convincing emails, inviting them to schedule fake interviews using a malicious link.

Source: ImageBroker.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

Cybercriminals have picked up a new tactic, impersonating CrowdStrike recruiters in order to distribute a cryptominer on their victims' devices.

This malicious campaign starts with an email, inviting the victim to schedule an interview with a recruiter for a position as a junior developer.

The illegitimate email contains a link, alleging that it will take the recipient to a site so they can schedule their interview, but in reality, takes the victim to a malicious website containing links to download a purported "CRM application."

"While interview and job-related phishing emails are not uncommon, this is a very targeted campaign that goes beyond the vast majority of malicious campaigns we see with this theme," said Chance Caldwell, senior director of the Phishing Defense Center at Cofense, in an emailed statement. "The campaign uses URLs that were created to look like they might actually belong to CrowdStrike, and the downloaded malware provides a pop-up that directs users to the real CrowdStrike support portal. Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike."

**Malicious Recruiter Lures Target Both Windows & Mac**

The site offers options for both Windows and macOS, and regardless of which option the victim chooses, once selected, it will download a Windows executable written in Rust. The executable will then download the cryptominer XMRig.

The executable runs several environmental checks to analyze the device and evade detection, such as scanning the running processes, verifying the CPU, and more.

If the checks are passed, the executable will display a false error message pop-up for the user, while downloading additional payloads needed to run the XMRig miner.

CrowdStrike, which identified the campaign just days ago, is warning job seekers to be vigilant, as this is not the only scam involving fake employment offers that's circulating out there.

It recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview, and it stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting \[email protected\].

"It is very unlikely that a recruiter will direct someone to download an executable as part of the interview process," Caldwell noted. "Any suspicious requests, such as this one, should be sufficiently verified before downloading anything, and contact information should be verified through the legitimate company website."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Tag

#git