My information Resource (blog.mir.net)

A vulnerability has been discovered in Ivanti Connect Secure, Policy Secure, and ZTA Gateways which could allow for remote code execution. Ivanti Connect Secure (formerly Pulse Connect Secure) is a widely deployed SSL VPN solution that provides secure and controlled access to corporate data and applications for remote and mobile users, offering features like single sign-on, multi-factor authentication, and integration with various security frameworks. Ivanti Policy Secure (IPS) is a Network Access Control (NAC) solution that provides network access only to authorized and secured users and devices, offering comprehensive NAC management, visibility, and monitoring to protect networks and sensitive data. Ivanti Neurons for Zero Trust Access (ZTA) Gateway is a component of Ivanti’s zero-trust network access solution. Successful exploitation could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, a threat actor could then install programs and view, change, or delete data.

Threat Intelligence Ivanti is aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support (EOS) Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure.

Systems Affected

Pulse Connect Secure 9.1R18.9 and prior (EOS) Ivanti Connect Secure 22.7R2.5 and prior Ivanti Policy Secure 22.7R1.3 and prior ZTA Gateways 22.8R2 and prior

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Ivanti to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References Ivanti: https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22457

Session highlights

After the keynote, you can listen or watch all the way through or pick and choose from mostly 30-minute sessions according to your interests. Here is a small sample of the sessions we have planned:

• Upgrades made easy with Windows Server 2025: Discover why Windows Server 2025 is the easiest version to upgrade ever. Join Rob Hindman and Jeff Woolsey as they delve into media upgrades and feature updates.
• Securing Active Directory: Join Active Directory Program Manager Cliff Fisher for a deep dive into new security features, policies, and defaults for Windows Server 2025. Learn about the new Windows Local Administrator Password Solution (LAPS) features, Delegated Managed Service Accounts, and more.
• Windows Server Hyper-V Architecture, features, GPUs, and more! Explore the new GPU partitioning innovation in Windows Server 2025 Hyper-V. This session will cover use cases and hardware considerations.
• Modernize server management and connectivity with Azure Arc: Connect Windows Servers across hybrid, multicloud, and edge environments to Azure. This session will showcase connectivity options and highlight Azure capabilities focused on SCCM modernization.
• What’s next for advanced storage: Discover the major improvements to storage in Windows Server 2025 and get a sneak peek at innovations like Native NVMe (nonvolatile memory express) and rack-aware clustering.
• Fine-tuned host networking for Windows Server 2025: Transform your network setup and management for Windows Server 2025 clusters with Network ATC and Network HUD. Learn how to achieve peak network performance for your workloads with AccelNet.
• SDN magic—Windows Server 2025 innovations: Uncover the power of software-defined networking on Windows Server 2025, including effortless deployments with native SDN (Software-defined networking) and enhanced security posture for your applications.
• Harden security and build resiliency with Windows Server 2025: Stay up-to-date with the latest security features and best practices for securing Windows Server. Learn about Microsoft Defender for Cloud and more.
• Hotpatching and update management for Windows Server with Azure Arc: Learn about the popular new hotpatching feature in Windows Server 2025 and watch demos on managing updates with Azure Arc.
• The Support Case Files—Windows Server troubleshooting tips: Join our Windows Server support engineers as they break down your most requested support cases.
• From on-premises to cloud with Azure File Sync: Learn how to use Azure File Sync to employ hybrid topologies and migrate seamlessly from on-premises to cloud.

Don’t miss out!

Windows Server Summit is a special virtual event with a community-driven, educational focus, and Microsoft engineers as featured speakers. While most of the sessions are advanced and assume good Windows Server experience, you will get something out of this event, whether you are a seasoned IT professional or just starting your journey. We hope you will join us live so you can participate in the Q&A, but if you cannot, sessions will be available on demand a few days after the event. Sign up now and join us for two days of learning together.

Click Here to register

Incident response is a critical part of cybersecurity risk management and should be integrated across organizational operations. The six Functions of the NIST Cybersecurity Framework (CSF) 2.0 all play vital roles in incident response.

NIST has finalized Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, which describes how to incorporate incident response recommendations into cybersecurity risk management activities in alignment with CSF 2.0. This guidance will help organizations reduce the number and impact of incidents that occur and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.

SP 800-61r3 supersedes SP 800-61r2 (Revision 2), Computer Security Incident Handling Guide.

Readers of SP 800-61r3 are encouraged to utilize the resources on NIST’s Incident Response project page in conjunction with this document to implement these recommendations and considerations. 

Read More

Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this Joint Cybersecurity Advisory  to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This joint advisory also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence.

The authoring agencies recommend all stakeholders—government and providers— collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity.

The initial public draft (ipd) of NIST Special Publication (SP) 800-228, Guidelines for API Protection for Cloud-Native Systems, is now available for public comment.

Modern enterprise IT systems rely on a family of application programming interfaces (APIs) for integration to support organizational business processes. Hence, a secure development and deployment of APIs is critical for overall enterprise security. This, in turn, requires the identification of risk factors or vulnerabilities in various phases of the API life cycle and the development of controls or protection measures to prevent their exploits.

This document addresses the following aspects for achieving that goal:

1. The identification and analysis of risk factors or vulnerabilities introduced during various activities of API development and runtime,
2. Recommended basic and advanced controls and protection measures during the pre-runtime and runtime stages of APIs, and
3. An analysis of the advantages and disadvantages of various implementation options (i.e., patterns) for those controls to enable security practitioners to adopt an incremental, risk-based approach to securing their APIs.

The public comment period is open through May 12, 2025. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included in the front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More

Responding to the need to propel AI innovation by developing AI standards more quickly while encouraging openness and collaboration – incorporating a wide range of expertise – NIST is launching its AI Standards Zero Drafts Pilot Project. 

As discussed at NIST’s AI symposium in September, this initiative will pilot a new process of distilling stakeholder views into “zero drafts”—thorough but preliminary proposals that will be submitted into the private sector-led standardization process to be developed into voluntary consensus standards.

NIST has proposed initial topics related to testing, evaluation, verification, and validation; AI design and architecture concepts; transparency documentation; among others. NIST solicits private and public sector input on priority topics and scoping. For each topic selected by NIST based on this feedback, the agency anticipates releasing a concept paper for public comment. NIST then will propose and revise a document to be submitted to the formal standardization process.

More details are available on a dedicated NIST web page. Please send any suggestions via email to [email protected].

Threat actors continue to exploit trusted financial software through impersonation, phishing emails, and fraudulent invoices or transactions. They can sign up for free accounts for legitimate software and target potential victims from within those services, utilizing email addresses from domains not flagged by typical security tools. They can also combine voice and email phishing techniques in telephone-oriented attack delivery (TOAD) attacks, relying on their targets to call actor-controlled phone numbers directly. The threat actors impersonate the trusted service and trick the targets into disclosing sensitive information over the phone, such as login credentials or financial information. TOAD attacks can result in credential theft, financial fraud, unauthorized access, malware installation, and ransomware.

The NJCCIC’s email security solution identified a TOAD attack impersonating Intuit QuickBooks and Stripe by Commerce Sync. The message appears to be created on legitimate Stripe infrastructure to evade detection. It contains a PDF attachment purporting to be a legitimate Intuit QuickBooks invoice for an upcoming subscription renewal. The threat actors use QuickBooks and Stripe branding in the message and PDF attachment. However, upon closer inspection, the message is suspicious because the QuickBooks name has a space in the subject line, sender’s display name, email content, and attachment. The invoice is addressed and billed to a generic “user.” Also, the link to pay the invoice does not navigate to verified Stripe domains and instead displays that the invoice is not found, forcing the target to call actor-controlled phone numbers, such as 888-375-7282, 888-652-2384, 888-514-8354, and others. The message and attachment also prompt the target to email sales with questions or in need of assistance to non-Intuit email addresses with “quicksbook[.]com” and “quick-books[.]com” domains instead of official Intuit domains.

Recommendations

Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders. Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Navigate directly to official and verified websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials, personal details, and financial information on websites visited via links delivered in messages. Safeguard your information and accounts, including account credentials and other sensitive information. Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Report any suspicious activity, identity theft, or fraud to your financial institution, local police department, the Federal Trade Commission (FTC), or the credit reporting bureaus. Report phishing emails and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.

The NJCCIC was recently notified of a cyber incident in which a threat actor compromised a user’s account credentials by targeting the Password Hash Synchronization (PHS) login method. Azure utilizes PHS to validate credentials and authenticate users without needing an additional Identity Provider (IdP). When PHS is enabled, Azure AD Connect uses the AD replication protocol to retrieve the password NT hash for every synced user. The hash is then rehashed and synced to Azure AD. Even if another authentication mechanism is used, PHS is enabled by default and will be used as a backup method during server outages. In a PHS attack, the threat actor exploits PHS and Azure AD Connect server functionality, often by intercepting connector credentials via man-in-the-middle attacks or injecting malicious code directly into the PHS process, allowing them to extract the domain users’ NT hashes.

In the recent incident, after compromising the account, the threat actor created a new computer name and established an alternate phone number as the account’s method for multi-factor authentication (MFA). Within a few hours of gaining access to the compromised account, the threat actors sent nearly 800 phishing emails to both internal and external accounts. These emails likely aimed to compromise additional user accounts for subsequent cyber threat activity; threat actors often compromise user accounts prior to launching ransomware attacks.

Recommendations

Ensure user accounts require MFA, favoring authentication apps and hardware tokens over SMS-based codes. As advised by Microsoft, treat Azure AD Connect as a Tier 0 server. Implement network segmentation to reduce the impact of a network compromise. Monitor for man-in-the-middle attacks and atypical network and account behavior. Follow the principle of least privilege to reduce the number of accounts with unnecessary access. Revoke session tokens when an account is compromised and reduce the duration of valid session tokens. Review additional technical analysis in the Sygnia blog post.

A vulnerability has been discovered in CrushFTP, which could allow for unauthorized access. CrushFTP is a proprietary multi-protocol, multi-platform file transfer server. The vulnerability is mitigated if the DMZ feature of CrushFTP is in place. Successful exploitation of this vulnerability could allow an attacker to remotely control the compromised server and execute remote code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLEGENCE:
There are currently no reports of the vulnerability being exploited in the wild. 

SYSTEMS AFFECTED:

• CrushFTP v10 and v11 versions.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in CrushFTP, which could allow for unauthorized access. Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• An exposed HTTP(S) port on CrushFTP’s web interface could lead to unauthenticated access. The vulnerability is mitigated If you have the DMZ feature of CrushFTP in place.

Successful exploitation of this vulnerability could allow an attacker to remotely control the compromised server and execute remote code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by CrushFTP or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

CrushFTP:
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
 
Bleeping Computer:
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-unauthenticated-access-flaw-immediately/

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2825

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:

Create a web shell, manipulate integrity checks, and modify files.  Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.  Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.

RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8.

For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.

CISA urges users and administrators to implement the following actions in addition to the Mitigation Instructions for CVE-2025-0282:

For the highest level of confidence, conduct a factory reset. For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.  See Ivanti’s Recommended Recovery Steps for more information, including how to conduct a factory reset.  Reset credentials of privileged and non-privileged accounts.  Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice because the account has a two-password history. The first account reset for the krbtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to Federal Civilian Executive Branch (FCEB) agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise.  Review access policies to temporarily revoke privileges/access for affected devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.  Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions.  Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.

For more guidance, see the Ivanti Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283).