CyberSecurity news

FlagThis - #unc5221

sila.ozeren@picussecurity.com (Sıla@Resources-2 //

Chinese Group Exploits Ivanti Zero-Day for Espionage - Chinese cyber-espionage group UNC5221 exploits Ivanti Connect Secure zero-day vulnerability (CVE-2025-22457) to deploy BRICKSTORM backdoor in European cyberespionage campaigns.
A Chinese cyber-espionage group, identified as UNC5221, is actively exploiting a zero-day vulnerability, CVE-2025-22457, in Ivanti Connect Secure. UNC5221 is suspected to be a China-nexus cyber-espionage group known for aggressively targeting edge network devices, such as VPNs, firewalls, and routers, with zero-day exploits since at least 2023. This vulnerability allows for unauthenticated remote code execution, giving attackers the ability to gain unauthorized access to organizations’ networks. The group has a history of quickly leveraging new flaws in Ivanti's Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances.

The latest campaign, launched in mid-March 2025, involves deploying the BRICKSTORM backdoor in targeted cyberespionage campaigns across Europe, including U.S.-based targets. This backdoor has evolved, with the Windows version now leveraging network tunneling capabilities and valid credentials to compromise Remote Desktop Protocol and Server Message Block, unlike the original Linux-targeting payload. The campaign is part of a broader trend of Chinese state-sponsored attackers focusing on internet-facing infrastructure for espionage, impacting government and enterprise networks globally.

Ivanti released a patch for CVE-2025-22457 on April 3, 2025, which affects Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability is a stack-based buffer overflow that can be exploited by sending a crafted HTTP request with an overly long X-Forwarded-For header. CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and recommends immediate action. Organizations using vulnerable Ivanti devices are strongly advised to apply the patch immediately and continuously monitor their external attack surface.

Recommended read:
References :
  • watchTowr Labs: Watchtowr description
  • Resources-2: Who Is the China-Nexus Group UNC5221? UNC5221 is a suspected China-nexus cyber-espionage group known for aggressively targeting edge network devices (VPNs, firewalls, routers) with zero-day exploits since at least 2023 .
  • www.scworld.com: Organizations across Europe are having their Windows systems compromised with the BRICKSTORM backdoor linked to Chinese state-backed threat operation UNC5221 as part of a cyberespionage campaign that commenced three years ago, Infosecurity Magazine reports.
  • blog.criminalip.io: Response Strategy for Ivanti VPN Vulnerability CVE-2025-22457: CTI-Based Attack Surface Detection
Veronika Telychko@SOC Prime Blog //

Cyberattacks Targeting Ukrainian State Systems - UAC-0219 hacking group targets Ukrainian entities using the WRECKSTEEL stealer via phishing emails with links to DropMeFiles and Google Drive.
The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of ongoing cyberattacks targeting Ukrainian state administration bodies and critical infrastructure. These attacks, attributed to the hacking group UAC-0219, have been ongoing since late 2024 and involve the use of the WRECKSTEEL PowerShell stealer to harvest data from infected computers. The attackers are distributing malware via phishing emails containing links to file-sharing platforms such as DropMeFiles and Google Drive, often disguised as research invitations or important documents like employee lists.

The multi-stage infection process begins with victims unknowingly downloading a VBScript loader from these links. Once executed, the loader deploys a PowerShell script that searches for and exfiltrates sensitive files, including documents, spreadsheets, presentations, and images. CERT-UA's analysis indicates that UAC-0219 has been refining its techniques over time. Indicators of compromise (IOCs) have been shared publicly to aid detection efforts, and CERT-UA urges organizations to remain vigilant and report any signs of compromise immediately.

Recommended read:
References :
  • Cyber Security News: UAC-0219 Hackers Use WRECKSTEEL PowerShell Stealer to Harvest Data from Infected Computers
  • Cyber Security News: UAC-0219 Hackers Using PowerShell Stealer WRECKSTEEL to Steal Information from Computers
  • SOC Prime Blog: UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL
  • The Hacker News: Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
  • The Hacker News: The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate
  • gbhackers.com: In a concerning development, CERT-UA, Ukraine’s Computer Emergency Response Team, has reported a series of cyberattacks attributed to the hacker group identified as UAC-0219. These attacks, which have been ongoing since the fall of 2024, utilize an advanced PowerShell-based malware tool named WRECKSTEEL to infiltrate computers and extract sensitive data.
  • securityaffairs.com: Discussion of the UAC-0219 attacks against Ukrainian state entities and critical infrastructure.
  • cert.europa.eu: CERT-UA reported three cyberattacks targeting Ukraine’s state agencies and critical infrastructure to steal sensitive data.
  • Matthias Schulze: CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
  • SOC Prime Blog: Gamaredon Campaign Detection: russia-backed APT Group Targets Ukraine Using LNK Files to Spread Remcos Backdoor
  • www.scworld.com: Ukraine subjected to new cyberespionage campaign
Rescana@Rescana //

CISA Warns of Critical CrushFTP Authentication Bypass - CISA has added CVE-2025-31161, an authentication bypass vulnerability in CrushFTP, to its KEV catalog, indicating active exploitation allowing attackers to bypass authentication and take over administrative accounts.
CISA has issued an urgent warning regarding a critical authentication bypass vulnerability, CVE-2025-31161, in CrushFTP, a widely-used file transfer server solution. The agency has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that it is actively being exploited in the wild. This flaw allows attackers to bypass authentication mechanisms and potentially gain unauthorized administrative access to vulnerable CrushFTP servers, posing significant risks to both government agencies and private organizations. Federal cybersecurity officials are urging immediate action to mitigate the threat.

The vulnerability, which affects CrushFTP server versions before 10.8.4 and 11.3.1, stems from improper validation of authentication tokens in the CrushFTP login process. An attacker can manipulate HTTP request parameters to gain unauthorized administrative access. CISA’s advisory highlights that exploitation could lead to a full system compromise. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability by April 28, 2025, emphasizing the severity of the risk.

CISA strongly encourages all organizations, including private sector entities and state governments, to prioritize patching CVE-2025-31161 and adopt similar vulnerability management strategies. To mitigate the risk, organizations using CrushFTP should immediately apply available patches or updates issued by the software's developers. Additionally, reviewing system logs for any unusual activity is advised. The Cybersecurity and Infrastructure Security Agency emphasizes that this authentication bypass vulnerability represents a severe security risk, potentially allowing complete compromise of affected CrushFTP servers, and has observed sophisticated threat actors actively exploiting it to establish persistent access to critical systems.

Recommended read:
References :
  • Cyber Security News: CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks
  • thecyberexpress.com: CISA Warns of CrushFTP Exploit Letting Attackers Bypass Authentication
  • The Hacker News: CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation
  • ciso2ciso.com: CISA Warns of CrushFTP Vulnerability Exploitation in the Wild – Source: www.infosecurity-magazine.com
  • cyberpress.org: CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks
  • gbhackers.com: CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability
  • gbhackers.com: CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability
  • fortiguard.fortinet.com: FortiGuard Labs has observed in-the-wild attack attempts targeting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP managed file transfer (MFT) software.
  • www.scworld.com: Attacks involving critical CrushFTP vulnerability target several sectors
do son@Daily CyberSecurity //

CISA Warns of RESURGE Malware Exploiting Ivanti Flaw - CISA released a report detailing the RESURGE malware, exploiting CVE-2025-0282 in Ivanti Connect Secure appliances, which can create web shells, manipulate integrity checks, and modify files for unauthorized access.
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.

RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.

Recommended read:
References :
  • securityonline.info: CISA Warns of RESURGE Malware: Exploiting Ivanti Vulnerability
  • Cyber Security News: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).
  • bsky.app: CISA has published a technical report on RESURGE, a web shell installed on Ivanti Connect Secure devices via CVE-2025-0282
  • thehackernews.com: RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features
  • securityaffairs.com: CISA warns of RESURGE malware exploiting Ivanti flaw
  • Help Net Security: CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.
  • : It’s the end of March 2025...of course CISOs still need to worry about Ivanti Connect Secure flaws.
  • www.cybersecuritydive.com: CVE-2025-0282, a critical vulnerability that affects Ivanti’s Connect Secure, Policy Secure and ZTA Gateway products, was disclosed and patched in January.
  • : CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
  • thecyberexpress.com: CISA Details New Malware Used in Ivanti Attacks
  • Sam Bent: A newly discovered malware named RESURGE is targeting Ivanti Connect Secure vulnerabilities, delivering stealth capabilities like rootkits and web shells. Tied to China-linked espionage groups.
  • The Register - Security: CISA spots spawn of Spawn malware targeting Ivanti flaw
  • Arctic Wolf: CVE-2025-22457: Ivanti Connect Secure VPN Vulnerable to Zero-Day RCE Exploitation
  • cert.europa.eu: 2025-016: Critical Vulnerability in Ivanti Products
  • securityonline.info: CVE-2025-22457: UNC5221 Exploits Ivanti Zero-Day Flaw to Deploy TRAILBLAZE and BRUSHFIRE Malware
  • Help Net Security: Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
  • securityaffairs.com: China-linked group UNC5221 exploited Ivanti Connect Secure zero-day since mid-March
  • The Register - Security: Suspected Chinese spies right now hijacking buggy Ivanti gear – for third time in 3 years
  • www.bleepingcomputer.com: Ivanti patches Connect Secure zero-day exploited since mid-March
  • BleepingComputer: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
  • Threats | CyberScoop: China-backed espionage group hits Ivanti customers again
  • www.scworld.com: Mandiant warns of attacks on newly-disclosed Ivanti remote takeover threat
  • The Hacker News: Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
  • bsky.app: Mandiant links the exploitation of a Connect Secure vulnerability to a China-linked APT (UNC5221).
  • bsky.app: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
  • research.kudelskisecurity.com: CVE-2025-22457: Critical Ivanti Connect Secure Vulnerability
  • Arctic Wolf: Ivanti disclosed a critical zero-day vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways
  • Vulnerable U: The vulnerability affects many versions of Ivanti appliances and is being exploited by a Chinese actor
  • darkwebinformer.com: CVE-2025-22457: April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)

Posts

Blogs

Research Tools