Author: blogmirnet

Multiple vulnerabilities have been discovered in Citrix products, the most severe of which could allow disclosure of sensitive data. Citrix ADC performs application-specific traffic analysis to intelligently distribute, optimize, and secure Layer 4 – Layer 7 network traffic for web applications. Successful exploitation of the most severe of these vulnerabilities could allow for memory overread, leading to disclosure of potentially sensitive information such as authenticated session tokens. Depending on the sensitive information retrieved via this technique, the attacker may gain further access to the appliance or systems.

THREAT INTELLIGENCE:
There are currently no reports of the vulnerabilities being exploited.

SYSTEMS AFFECTED:

• NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
• NetScaler ADC 13.1-FIPS and NDcPP  BEFORE 13.1-37.235-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS

RISK:
Government:

• Large and medium government entities: Medium
• Small government entities: Medium

Businesses:

• Large and medium business entities: Medium
• Small business entities: Medium

Home users: N/A

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Citrix products, the most severe of which could allow disclosure of sensitive data. Details of the most severe vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• An out-of-bounds read vulnerability in NetScaler ADC and NetScaler Gateway affecting systems configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It stems from insufficient input validation. Successful exploitation allows a remote, unauthenticated threat actor to trigger memory overreads on the affected interface. (CVE-2025-5777)

Additional lower severity vulnerabilities:

• An improper access control vulnerability in the NetScaler Management Interface of NetScaler ADC and NetScaler Gateway, affecting version 14.1 before 14.1-43.56 and version 13.1 before 13.1-58.32. It stems from insufficient enforcement of access restrictions on management endpoints. Successful exploitation allows an unauthenticated threat actor with access to the NSIP (NetScaler IP for management), Cluster Management IP, or local GSLB (Global Server Load Balancing) Site IP to interact with restricted management functions. (CVE-2025-5349)

Successful exploitation of the most severe of these vulnerabilities could allow for memory overread, leading to disclosure of potentially sensitive information such as authenticated session tokens. Depending on the sensitive information retrieved via this technique, the attacker may gain further access to the appliance or systems.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply the stable channel update provided by Citrix to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Citrix recommends running the following commands to terminate all active ICA and PCoIP sessions after the appliances have been upgraded:
  • kill icaconnection -all
  • kill pcoipConnection -all

• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Block execution of code on a system through application control, and/or script blocking. (M1038: Execution Prevention)
  • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Citrix:
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5777

Supply chain threat analysis is an essential component of security research. NIST Cybersecurity White Paper (CSWP) 46, Analyzing Collusion Threats in the Semiconductor Supply Chain, proposes a framework for analyzing threats related to the semiconductor supply chain. The framework introduces a metric that quantifies the severity of different threats subjected to a collusion of adversaries from different stages of the supply chain. Two different case studies are provided to describe the real-life application of the framework. The metrics and analysis aim to guide security efforts and optimize the trade-offs of hardware security and costs.

Read More

In November 2024, NIST’s Crypto Publication Review Board announced the review of NIST Special Publication (SP) 800-102, Recommendation for Digital Signature Timeliness (2009).  On April 10, 2025, NIST proposed withdrawing SP 800-102 and received one public comment in response, which agreed with NIST’s proposal. 

NIST has decided to withdraw this publication. 

Information about the review process is available at NIST’s Crypto Publication Review Project.

Read More

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) (hereafter referred to as the authoring agencies) released a Joint Fact Sheet strongly urge organizations to remain vigilant for potential targeted cyber activity against US critical infrastructure and other US entities by Iranian-affiliated cyber actors.

Despite a declared ceasefire and ongoing negotiations towards a permanent solution, Iranian-affiliated cyber actors and hacktivist groups may still conduct malicious cyber activity. The authoring agencies are continuing to monitor the situation and will release pertinent cyber threat and cyber defense information as it becomes available.

Based on the current geopolitical environment, Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations. Defense Industrial Base (DIB) companies, particularly those possessing holdings or relationships with Israeli research and defense firms, are at increased risk. Hacktivists and Iranian-government-affiliated actors routinely target poorly secured US networks and internet-connected devices for disruptive cyberattacks.

Iranian-affiliated cyber actors and aligned hacktivist groups often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures (CVEs) or the use of default or common passwords on internet-connected accounts and devices. (Note: See CISA’s Known Exploited Vulnerabilities Catalog for more information on vulnerabilities that have been exploited in the wild). These malicious cyber actors commonly use techniques such as automated password guessing, cracking password hashes using online resources, and inputting default manufacturer passwords. When specifically targeting operational technology (OT), these malicious cyber actors also use system engineering and diagnostic tools to target entities such as engineering and operator devices, performance and security systems, and vendor and third-party maintenance and monitoring systems.

The Joint Fact Sheet contains threat activity, previous cyber campaigns, mitigation recommendations, additional resources, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

NIST maintains its cryptography standards and guidelines using a periodic review process. Currently, NIST seeks your feedback on all aspects of these two publications: 

• NIST Special Publication (SP) 800-57 Part 2, Revision 1, Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations (2019) 
• NIST SP 800-57 Part 3, Rev. 1, Recommendation for Key Management: Part 3 – Application-Specific Key Management Guidance (2015) 

The public comment period is open through September 30, 2025. Send comments to cryptopubreviewboard@nist.gov with “Comments on SP 800-57 Part 2” or “Comments on SP 800-57 Part 3” in the subject line. 

Comments received in response to this request will be posted on the Crypto Publication Review Project site after the comment due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. Click the “Read More” button below for additional information about the review process. 

Read More

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals. NOTE: If you already receive cybersecurity advisories direct from the MS-ISAC, please let us know by responding to this email.

A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Successful exploitation of the the vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, threat actors could then install programs; view, change, delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-6554 to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

Systems Affected

Chrome prior to 138.0.7204.96/.97 for Windows Chrome prior to 138.0.7204.92/.93 for Mac Chrome prior to 138.0.7204.92 for Linux

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

Reference

Google: https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html

NIST has issued draft updates to Special Publication (SP) 800-53 to provide additional guidance on how to securely and reliably deploy patches and updates in response to the Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. A two-week expedited public comment period on the draft updates is open through August 5, 2025. 

NIST proposes an update to an existing control enhancement, two new control enhancements, six updates to existing control/control enhancement discussions, and updates to related controls for the new control enhancements. The updates address software resiliency, developer testing, secure logging, least privilege for functions and tools, deployment management of updates, software integrity and validation, delineation of roles and responsibilities between organizations and developers, and root cause analysis and improvement.

The NIST SP 800-53 Public Comment Site provides an online tool for quickly reviewing the proposed updates, providing real-time comments, and viewing the unattributed comments of other users. Suggestions for new controls and edits to existing controls can also be submitted at any time. This tool allows NIST to maintain its open and transparent comment process while promoting a more agile and efficient delivery approach. Only changed or new controls are being issued as drafts for public comment, enabling more efficient comment participation and adjudication. NIST plans to issue the finalized updates to NIST SP 800-53 as a dataset through the Cybersecurity and Privacy Reference Tool.

Following the completion of the comment period, NIST will review and adjudicate comments. NIST SP 800-53 Release 5.2.0 will be issued on or before September 2, 2025, as an online dataset on the Cybersecurity and Privacy Reference Tool.

Questions on the NIST SP 800-53 Public Comment Site and draft SP 800-53 controls can be directed to 800-53comments@list.nist.gov.

Read More

Multiple Vulnerabilities have been discovered in Microsoft SharePoint Server, which could allow for remote code execution. Microsoft SharePoint Server is a web-based collaborative platform that integrates with Microsoft Office. Successful exploitation of these vulnerabilities allows for unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

THREAT INTELLIGENCE:
CISA is aware of active exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

SYSTEMS AFFECTED:

• Microsoft SharePoint Server Subscription Edition prior to security update KB5002768.
• Microsoft SharePoint Server 2019 Core prior to security update KB5002754.
• Microsoft SharePoint Server 2019 Language Pack prior to security update KB5002753
• Microsoft SharePoint Enterprise Server 2016 prior to security update KB5002760.
• Microsoft SharePoint Enterprise Server 2016 Language Pack prior to security update KB5002759.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple Vulnerabilities have been discovered in Microsoft SharePoint Server, which could allow for remote code execution.  Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. (CVE-2025-53770)
• Improper limitation of a pathname to a restricted directory (patd traversal) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. (CVE-2025-53771)
  • These vulnerabilities are evolutions of previously patched flaws (CVE-2025-49704 and CVE-2025-49706), for which initial vendor-provided remediation was incomplete, enabling attackers to achieve unauthenticated RCE attacks through advanced deserialization techniques and ViewState abuse. Patches addressing these vulnerabilities were released by Microsoft on July 20. 

Successful exploitation of these vulnerabilities allows for unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. 
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. 
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. 
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. 
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Microsoft:

https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770

CISA:

https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770

Trendmicro:

https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html

Unit42:

https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53770

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53771

CISA, in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center issued a joint Cybersecurity Advisory to help protect businesses and critical infrastructure organizations in North America and Europe against Interlock ransomware.  

This advisory highlights known Interlock ransomware indicators of compromise and tactics, techniques, and procedures identified through recent FBI investigations.  

Actions organizations can take today to mitigate Interlock ransomware threat activity include:  

• Preventing initial access by implementing domain name system filtering and web access firewalls and training users to spot social engineering attempts.  
• Mitigating known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date.  
• Segmenting networks to restrict lateral movement from initial infected devices and other devices in the same organization.  
• Implementing identity, credential, and access management policies across the organization and then requiring multifactor authentication for all services to the extent possible.  

The #StopRansomware Interlock joint Cybersecurity Advisory is part of an ongoing effort to publish guidance for network defenders that detail various ransomware variants and ransomware threat actors. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. 

“Sneaky Log” is a sophisticated cybercrime group that emerged in late 2024, operating a Phishing-as-a-Service (PhaaS) kit called “Sneaky 2FA” which is designed to bypass two-factor authentication (2FA), also known as multi-factor authentication (MFA). This kit generates highly realistic phishing webpages, often pre-populated with the victim’s email address. It harvests Microsoft 365 session cookies to circumvent MFA, allowing attackers to authenticate directly to services. “Sneaky 2FA” also employs advanced evasion techniques like blurring login backgrounds and distinguishing between human users and bots to avoid detection and analysis. Offered on a monthly subscription basis for around $200 via Telegram, “Sneaky 2FA” highlights the ongoing struggle between cyber defenders and evolving threat tactics.

The NJCCIC detected a new variant of Sneaky Log in which the message contains a URL that leads to a password-protected PDF file hosted on Adobe[.]com or Google Drive. In one campaign, threat actors use compromised accounts to send a “Kindly review the document” themed message that also contains the password for viewing the document on an Adobe[.]com webpage.

Once the intended victim clicks the link and enters their password, they are presented with a “Review Document” link impersonating a PDF file. If the intended victim clicks this link, they are redirected to a website hosting the “Sneaky 2FA” kit.

The kit uses a Cloudflare Turenstile, IP filtering, and anti-debugging to evade bot-sandboxing and analysis.

If the kit detects Bot sandboxing or analyst activity, it redirects to a benign site (e.g., Wikipedia) or shows other harmless content.

If the kit determines the activity as a potential victim, it proceeds to the next stage and displays a fake Microsoft sign-in screen.

If the victim enters their credentials, the kit performs credential and session cookie harvesting (Adversary-in-the-Middle AiTM) by:

Intercepting the victims’ credentials. Forwarding the credentials to the legitimate Microsoft 365 login page. Intercepting the response from the legitimate service, including MFA prompts. If MFA is required, the kit presents the MFA prompt to the victim and intercepts the MFA code. The kit uses the MFA code to complete the authentication process and then harvests the session cookies issued by the legitimate service after successful authentication. This step allows the attacker to replay the session to gain access to the victim’s account without needing to enter the victim’s password or MFA again.

After successfully collecting the session cookies, the kit will often redirect the victim to a legitimate page (e.g., their actual Microsoft 365 dashboard or a generic website) to avoid suspicion.