Daily News Update: Friday, April 4, 2025 (Australia/Melbourne)

Audio Summary: Friday, April 4, 2025 (Australia/Melbourne)

0:00

/315

1×

China-Linked Group Exploiting Critical Ivanti Zero-Day (CVE-2025-22457)

Ivanti has released patches for a critical (CVSS 9.0) remote code execution (RCE) vulnerability, CVE-2025-22457, affecting its Connect Secure, Policy Secure, and Neurons for ZTA gateways. Worryingly, a suspected China-nexus espionage group, tracked by Mandiant/Google as UNC5221, has been actively exploiting this flaw as a zero-day since at least mid-March.

The vulnerability is a stack-based buffer overflow impacting Pulse Connect Secure 9.1x (EoL), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and ZTA gateways. Ivanti initially patched this in Connect Secure version 22.7R2.6 back in February, believing it was only a low-risk denial-of-service bug. However, further analysis revealed it could be exploited for RCE through "sophisticated means."

Mandiant confirmed that UNC5221, known for targeting edge devices and exploiting previous Ivanti zero-days (including CVE-2025-0282, CVE-2023-46805, and CVE-2024-21887), identified the RCE potential and began exploitation. Following successful compromise, the group deploys two new malware families:

• TRAILBLAZE: An in-memory dropper.
• BRUSHFIRE: A passive backdoor injected into the /home/bin/web process.

They also deploy variants of the previously observed Spawn malware ecosystem.

Ivanti is aware of a "limited number" of customers exploited via Connect Secure (pre-22.7R2.6) and the EoL Pulse Connect Secure 9.1x.

Note that patches for Policy Secure and ZTA gateways are expected on April 19 and April 21, respectively; Ivanti is currently unaware of exploitation targeting these specific products.

Administrators are urged to update to Ivanti Connect Secure 22.7R2.6 immediately. For EoL products, migration to a supported platform is the only secure option. Admins should also run the external Integrity Checker Tool (ICT), monitor for web server crashes, and if compromised, factory reset appliances before deploying the patched software.

This incident marks at least the third time in three years that UNC5221 has exploited zero-days in Ivanti products, highlighting the persistent targeting of network edge devices by this threat actor.

_{Bleeping Computer | "Ivanti patches Connect Secure zero-day exploited since mid-March"}

_{The Register | "Suspected Chinese spies right now hijacking buggy Ivanti gear – for third time in 3 years"}

Agencies Warn of 'Fast Flux' DNS Evasion Technique

Cybersecurity agencies from the US (CISA, FBI, NSA), Australia (ACSC), Canada (CCCS), and New Zealand (NCSC-NZ) have issued a joint advisory warning about the increased use of 'Fast Flux' by cybercriminals and state-sponsored actors.

Fast Flux is a DNS technique used to hide the true location of malicious infrastructure (like C2 servers, phishing sites, malware delivery hosts) by rapidly changing the IP addresses and/or DNS name servers associated with a single domain name. This makes detection, blocking, and takedown efforts significantly harder.

The technique often leverages large botnets of compromised devices acting as proxies. Two main variants exist:

• Single Flux: Rapidly rotating IP addresses associated with one domain.
• Double Flux: Rapidly rotating both the IP addresses and the authoritative DNS name servers for a domain, adding another layer of obfuscation.

While not new (used by botnets for over a decade), its adoption by sophisticated actors, including ransomware groups like Hive and Nefilim, and state-backed groups like Russia's Gamaredon, has prompted the alert. Bulletproof hosting providers also increasingly offer Fast Flux services to help clients evade detection.

The rapid changes make traditional IP blocking ineffective and hinder law enforcement actions. Malicious actors blend this traffic with legitimate services, further complicating detection.

The advisory urges organisations, particularly Protective DNS (PDNS) providers, to implement multi-layered detection and mitigation strategies. Key detection methods include:

• Analysing DNS logs for high IP rotation, low TTLs, high entropy, and geographic inconsistency.
• Integrating threat intelligence feeds and reputation services.
• Monitoring network flow and DNS traffic for unusual patterns.
• Cross-referencing suspicious domains/emails with DNS anomalies.
• Developing organisation-specific detection algorithms.

Mitigation recommendations involve using DNS/IP blocklists, firewall rules, reputational scoring, centralised logging with real-time alerting for anomalies, and participating in information sharing networks.

_{The Record | "US, Australia, Canada warn of ‘fast flux’ scheme used by ransomware gangs"}

_{CyberScoop | "International intelligence agencies raise the alarm on fast flux"}

_{Bleeping Computer | "CISA warns of Fast Flux DNS evasion used by cybercrime gangs"}

GitHub Supply Chain Attack Origin Traced to Leaked SpotBugs Token

The complex GitHub Actions supply chain attack that ultimately targeted Coinbase in March 2025 has been traced back to a single leaked Personal Access Token (PAT) from the SpotBugs project in late 2024.

Palo Alto Networks' Unit 42 researchers uncovered the initial steps:

1. Late Nov 2024: A SpotBugs maintainer inadvertently included their PAT in a CI workflow.
2. 6 Dec 2024: An attacker exploited a vulnerable 'pull_request_target' workflow in SpotBugs via a malicious pull request (from throwaway account 'randolzflow') to steal the maintainer's PAT.
3. 11 Mar 2025: Using the stolen PAT, the attacker invited another dummy user ('jurkaofavak') into SpotBugs. This user pushed a malicious GitHub Actions workflow that exfiltrated a second PAT belonging to a Reviewdog maintainer who also had access to SpotBugs.
4. Post 11 Mar 2025: This second stolen PAT, having write access to 'reviewdog/action-setup', was used to override the `v1` tag, pointing it to a malicious commit. This poisoned downstream consumers like 'tj-actions/eslint-changed-files'.
5. Mid-Mar 2025: The compromised 'tj-actions' action, now containing code to dump secrets from CI runners, was tailored to target 'coinbase/agentkit'. Coinbase's CI executed the tainted version on March 14th.

Fortunately, Coinbase detected the attempt quickly, removed the workflow, and confirmed no secrets were exposed. The attack failed to breach the cryptocurrency exchange.

This incident highlights the cascading risks in open-source dependencies and issues within the GitHub Actions ecosystem, such as tag mutability and inadequate audit logging. The attack demonstrates a high level of organisation and planning over several months by the attackers.

Organisations using any of the compromised actions (SpotBugs, Reviewdog, tj-actions) should rotate all secrets immediately and audit GitHub Actions logs (especially from March 10-14, 2025) for signs of exposed secrets. Pinning dependencies to commit hashes instead of mutable tags and carefully managing 'pull_request_target' usage are recommended mitigations for future supply chain attacks of this type.

_{Bleeping Computer | "Recent GitHub supply chain attack traced to leaked SpotBugs token"}

Oracle Reportedly Confirms Legacy Cloud Breach to Customers - But is Again Contradicted by the Data Leaks

Oracle has reportedly acknowledged a security breach to some customers, stating attackers accessed a "legacy environment" last used in 2017 and stole old client credentials. According to Bloomberg, Oracle informed clients the data was old and not sensitive, and that CrowdStrike and the FBI are investigating.

That said, the threat actor shared data samples with BleepingComputer purportedly from late 2024 and posted records allegedly from 2025 online, contradicting the claim that only pre-2017 data was involved.

Cybersecurity firm CybelAngel reported that Oracle told clients an attacker accessed Gen 1 (Oracle Cloud Classic) servers as early as January 2025, using a 2020 Java exploit to deploy malware and exfiltrate data (emails, hashed passwords, usernames) from the Oracle Identity Manager (IDM) database.

Despite Oracle's public denials of an "Oracle Cloud" breach, BleepingComputer previously confirmed the validity of some leaked data samples with affected companies. The distinction appears to be semantic, and largely arbitrary, focusing on the "Oracle Cloud Classic" (rebranded older services) environment rather than the current Oracle Cloud Infrastructure (OCI).

This incident comes shortly after Oracle notified customers of a separate breach at Oracle Health (formerly Cerner), impacting US healthcare organisations. In that case, attackers allegedly used compromised customer credentials to access legacy Cerner data migration servers between January and February 2025, stealing patient data. An actor named "Andrew" is reportedly extorting affected hospitals.

_{Bleeping Computer | "Oracle reportedly confirms Oracle Cloud breach to customers"}

Disaster Recovery is Much More Than Just "Do You Have Backups?"

Disaster Recovery (DR) is becoming increasingly challenging as IT environments sprawl across on-premises systems, public clouds, SaaS applications, and third-party IT-as-a-Service (ITaaS) providers. Compounding this complexity, ransomware has overtaken physical incidents like fires or floods as the leading cause of major outages.

As part of The Register's week of coverage on the topic of Disaster Recovery, one of the key takeaways is - in a nutshell - the more homogeneous and standardised your IT environment, the easier recovery becomes. Whether running your own virtualised/containerised stack or fully embracing a single public cloud provider (potentially with a secondary region/provider for DR), consistency simplifies failover and failback.

DR-as-a-Service (DRaaS) providers like Cohesity, Rubrik, HPE Zerto, and Veeam offer solutions, but often require a degree of environmental homogeneity. Ultimately, organisations must assume they will be hit by ransomware, directly or via their supply chain, and prepare accordingly.

The articles also highlight that Ransomware shifts DR towards incident response, because even if certain pieces of Infrastructure are left running - they may still be compromised. Recovery involves detecting threats, isolating systems, wiping/replacing hardware, reinstalling clean software, and restoring data from immutable backups – a complex process even when managing your own infrastructure. With ITaaS, you depend heavily on the provider's competence and communication during such crises.

Several high-profile incidents in healthcare serve to illustrate these risks:

• Synnovis/NHS (June 2024): Ransomware attack on outsourced pathology provider Synnovis (SYNLAB JV) crippled services in London NHS regions.
• Octapharma Plasma (April 2024): Attack forced temporary closure of 150+ US plasma centres.
• OneBlood (July 2024): Ransomware hit blood supplier, disrupting supply to 350 hospitals in the US Southeast.
• Change Healthcare (Feb 2024): Attack on the UnitedHealth Group subsidiary disrupted billions in US healthcare transactions for months.

Moreover, while incident response plans are common, they must be continuously updated and rigorously tested – not just through tabletop exercises, but through actual simulations.

Tools like Netflix's Chaos Monkey (and the broader Simian Army), AWS Fault Injection Service, Azure Chaos Studio, Litmus (for Kubernetes), and Gremlin can help simulate failures. Automation scripts for remediation are vital and must be kept current.

Constant practice, akin to military drills, builds muscle memory for when incidents occur. Knowing your network topology through up-to-date mapping is critical for detection and response, especially as dwell times shrink. Third-party penetration testing can offer valuable external perspectives, provided the feedback is actionable and prioritised.

Backups remain a cornerstone, yet a common failure point. They must be continuous, correctly configured, regularly tested for restorability, and ideally stored off-site and immutably, guarded against attackers who increasingly target them. Proper preparation, while costly, is far less expensive than scrambling during a real crisis.

_{The Register | "Heterogeneous stacks, ransomware, and ITaaS: A DR nightmare"}

_{The Register | "When disaster strikes, proper preparation prevents poor performance"}

Mass Scanning for Default Creds on Juniper Products Adds to Palo Alto Mystery

Security researchers have observed recent surges in scanning activity targeting devices from Juniper Networks, potentially indicating espionage, botnet building, or zero-day exploitation attempts.

Johannes Ullrich from the SANS Institute reported a spike between March 23 and 28 in scans specifically looking for the default username "t128" (password "128tRoutes") associated with Juniper's Session Smart Networking products (acquired from 128 Technologies). Around 3,000 source IPs, many linked to "Mirai Type" botnets known for SSH scanning, participated.

This is in addition to the mass probing of login portals for Palo Alto Networks' PAN-OS GlobalProtect remote access products over the past 30 days, detected by GreyNoise and covered by us several days ago. Activity here peaked between March 17 and 26, involving nearly 24,000 unique IP addresses, with almost 20,000 attempts per day at its height. GreyNoise classified most activity as suspicious, but tagged 154 source IPs as malicious.

This activity resembled a 2024 espionage campaign targeting perimeter devices, attributed by Cisco Talos to Chinese state actors. Palo Alto Networks acknowledged the GreyNoise report, stating their teams are monitoring and analysing the activity and encouraging customers to run the latest PAN-OS versions. Juniper users are strongly advised to change default credentials.

_{The Register | "Why is someone mass-scanning Juniper and Palo Alto Networks products?"}

Royal Mail and Samsung Germany Data Allegedly Stolen via Supplier

Adding to yesterday's story about the UK's Royal Mail investigating a data breach stemming from their third-party partner Spectos GmbH - Hudson Rock's Alon Gal believes the same compromised credentials which likely enabled the breach, may have been used in a separate incident where the same actor, GHNA, claimed to have stolen 270,000 customer service tickets from Samsung Germany.

The alleged Samsung data reportedly includes customer names, addresses, hardware model numbers, payment details, and communications. Hudson Rock warns that combining address data with purchase/order history from both alleged breaches could enable criminals to identify and target owners of valuable goods for theft or fraud.

Neither Spectos nor Samsung had provided comment at the time of the original report.

_{The Register | "Customer info allegedly stolen from Royal Mail, Samsung via compromised supplier"}

Sign up for Opalsec

Actionable insights for Cyber Security Professionals

Subscribe

Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

New 'Wrecksteel' Malware Targets Ukrainian State Agencies

Ukraine's Computer Emergency Response Team (CERT-UA) reported at least three cyberattacks in March targeting government agencies and critical infrastructure using previously unseen malware dubbed 'Wrecksteel'.

The attacks, attributed to a group tracked as UAC-0219, employed phishing emails containing links to public file-sharing services (DropMeFiles, Google Drive). Clicking the links executed a PowerShell script that deployed Wrecksteel. The malware is designed for cyberespionage, capable of exfiltrating various document types (text, PDF, images, presentations) and taking screenshots of infected machines.

CERT-UA indicates this campaign has been active since at least mid-late 2024. One phishing lure falsely claimed impending salary cuts at a government agency, linking to the malicious payload disguised as an employee list.

While CERT-UA didn't formally attribute the attacks to a specific nation, such phishing campaigns against Ukrainian state entities are frequently linked to Russia.

This follows recent reports of the Russian-backed Gamaredon group using malicious documents referencing troop movements, and a disruptive cyberattack last week against Ukraine's state railway operator, Ukrzaliznytsia, which involved custom malware and was labelled an "act of terrorism" by Ukrainian officials.

_{The Record | "Hackers target Ukrainian state agencies, critical infrastructure with new ‘Wrecksteel’ malware"}

State Bar of Texas Hit by INC Ransomware

The State Bar of Texas, the second-largest bar association in the US, has confirmed a data breach after the INC ransomware group claimed responsibility for an attack.

In data breach notifications filed with Attorney Generals' offices, the organisation stated that unauthorised access to its network occurred between 28 January and 9 February 2025, with the breach discovered on 12 February. The attackers were able to exfiltrate certain information, including full names and other unspecified data (redacted in public notices).

The INC ransomware gang added the State Bar of Texas to its dark web leak site on 9 March 2025, subsequently publishing samples of allegedly stolen files, including legal case documents. The authenticity of these leaked files has not been independently verified.

The State Bar is offering affected individuals free credit and identity theft monitoring through Experian, recommending enrollment by 31 July 2025. They also advise considering credit freezes or fraud alerts.

_{Bleeping Computer | "Texas State Bar warns of data breach after INC ransomware claims attack"}

US House Leaders Push Back on CISA Cuts, Plan Expanded Role

Leaders of the US House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection have criticised recent personnel cuts at the Cybersecurity and Infrastructure Security Agency (CISA) under the Trump administration.

Subcommittee Chairman Rep. Andrew Garbarino (R-NY) expressed dissatisfaction with the cuts, including the firing of probationary employees, stating that while efficiency savings are possible, "in some places when trying to cut the fat, they cut the bone, and we need to fix that." Garbarino advocates for CISA taking on a broader federal cyber role, rather than responsibilities being fragmented across agencies like the EPA.

His legislative priorities include reauthorising the 2015 Cybersecurity Information Sharing Act (CISA), potentially carving out a specific role for the agency within it, and renewing the state and local cyber grant program, possibly for 10 years, with continued CISA involvement. Despite the cuts, Garbarino sees the nomination of Sean Plankey to lead CISA as a positive sign.

Rep. Eric Swalwell (D-CA), the ranking Democrat on the panel, called the personnel cuts "schizophrenic" and inefficient, noting that many employees are on paid leave while seeking other jobs. Swalwell aims to advance legislation to formally codify the CISA-housed Joint Cyber Defense Collaborative (JCDC) into law.

Both representatives acknowledged the political challenges, particularly potential opposition from Sen. Rand Paul (R-Ky.), the new chair of the Senate Homeland Security Committee, who has been critical of CISA. However, they expressed hope that bipartisan support and education efforts regarding CISA's role, including its controversial work on disinformation, could overcome these hurdles.

_{CyberScoop | "Don’t cut CISA personnel, House panel leaders say, as they plan legislation giving the agency more to do"}

US Cyber Command Touts AI-Driven Network Monitoring Gains

US Cyber Command (Cybercom) is seeing significant benefits from integrating Artificial Intelligence (AI) into its operations, particularly in cybersecurity and network monitoring.

Morgan Adamski, Cybercom's Executive Director, stated that generative AI tools have drastically reduced the time needed to analyse network traffic and code for malicious activity, cutting processes that previously took hours, days, or weeks down to minutes and hours.

This progress stems from an AI roadmap established last year, with an AI task force within the Cyber National Mission Force running 90-day development "sprints" to integrate Large Language Models (LLMs) and other AI tech. Successful tools are then considered for broader deployment.

A key initiative is 'Constellation', a partnership with the Defense Advanced Research Projects Agency (DARPA), which helps expedite the deployment of AI capabilities. One such capability involves continuous monitoring of the massive DoD Information Network (DoDIN). Adamski explained:

"Essentially allows us to put it in specific places within DoDIN that essentially has indicators from what we know our adversaries are using... We can monitor the traffic that’s going through that specific choke point, and then we’ve been able to determine and identify malicious activity that we haven’t seen before." - Morgan Adamski, Executive Director, US Cyber Command

The success of pilot projects like Army Cyber Command's 'Panoptic Junction', which uses AI for network traffic monitoring, compliance checks, and threat detection, has prompted Cybercom to look at expanding such capabilities across the entire DoDIN.

_{CyberScoop | "Cyber Command touts AI-driven gains in cybersecurity, network monitoring"}

Genetic Data Platform openSNP to Shutter Over Privacy Fears

The open-source genetic and phenotypic data sharing platform, openSNP, is set to close down on 30 April 2025. All user-submitted data will be deleted due to growing concerns over data privacy and the potential for misuse, particularly by authoritarian governments.

Co-founder Bastian Greshake Tzovaras announced the decision, highlighting how the landscape around personal genomics data has changed dramatically over the past 14 years. Originally launched to democratise access to genetic data, breaking the hold of commercial firms like 23andMe, the platform became a significant repository for research and education.

However, the recent bankruptcy of 23andMe has stemmed the flow of new data. More critically, Tzovaras expressed concerns about the increasing aggressiveness of forensic firms, law enforcement, and governments seeking access to such data, often based on questionable scientific grounds.

"The risk/benefit calculus of providing free & open access to individual genetic data in 2025 is very different compared to 14 years ago... sunsetting openSNP – along with deleting the data stored within it – feels like it is the most responsible act of stewardship for these data today." - Bastian Greshake Tzovaras, openSNP Co-founder

Users wishing to retain copies of data have until the shutdown date to download it. While existing downloaded copies will persist, removing the central public repository aims to reduce discoverability and scraping.

_{Bleeping Computer | "Genetic data site openSNP to close and delete data over privacy concerns"}