Ivanti warns of active exploitation of critical security flaw

Ivanti has issued a warning regarding the active exploitation of a critical vulnerability (CVE-2025-0282, CVSS score: 9.0) in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateways. The flaw, a stack-based buffer overflow, allows unauthenticated remote code execution and affects versions prior to 22.7R2.5.

Security firm Mandiant attributes the attacks to a China-linked threat actor, UNC5337, highlighting the use of previously undocumented malware, DRYHOOK and PHASEJAM, as part of the SPAWN malware ecosystem. The attackers disabled SELinux, modified logs, deployed web shells, and executed scripts to maintain persistence.

Ivanti has patched the vulnerability and urges immediate updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to its Known Exploited Vulnerabilities list, with a compliance deadline set for 15 January 2025. Organisations are advised to scan for indicators of compromise and report any suspicious activity.

Atos denies system breach after Space Bears ransomware claims

French IT services giant Atos has denied that its systems were compromised after the ransomware group Space Bears claimed to have stolen a “company database.”

Atos confirmed it investigated the claims and found “no evidence of any compromise or ransomware affecting any Atos/Eviden systems globally,” with no ransom demand received. However, the company acknowledged that data mentioning its name was obtained from an external third-party system unconnected to its infrastructure.

The Space Bears group, active since spring 2024, lists over 40 victims on its dark web leak site and is threatening to release the alleged Atos data. This follows previous incidents involving Atos, including claims by BlackBasta and Cl0p ransomware groups in 2024 and 2023, respectively.

Atos reassured customers that its proprietary data, source code, and IP remain secure and highlighted its ongoing commitment to robust cyber defences.

New Mirai-based botnet targets industrial routers and smart home devices

A Mirai-based botnet is rapidly evolving, using zero-day exploits to target vulnerabilities in industrial routers and smart home devices. Discovered in early 2024, the botnet currently controls 15,000 daily active nodes, primarily in China, the US, Russia, Turkey, and Iran.

Chainxin X Lab researchers revealed the botnet began exploiting unknown vulnerabilities in November 2024, including CVE-2024-12856, a flaw in Four-Faith industrial routers identified in December. It also targets Neterbit routers and Vimar smart home devices.

The botnet’s primary goal is launching distributed denial-of-service (DDoS) attacks, often exceeding 100 Gbps, causing significant disruption. Despite the short duration (10–30 seconds) of its attacks, the intensity makes it effective against even robust infrastructures.

To mitigate risks, users are urged to update device firmware, disable unnecessary remote access, and change default admin credentials. The botnet’s global reach highlights the critical need for improved IoT security measures.

GorillaBot: New Mirai-inspired botnet targets global sectors

Cyber security firm NSFOCUS has uncovered a new botnet malware family, Gorilla (aka GorillaBot), built on the leaked Mirai botnet source code. Between 4 and 27 September 2024, the botnet issued over 300,000 attack commands, averaging 20,000 distributed denial-of-service (DDoS) attacks daily.

GorillaBot has targeted universities, government websites, telecoms, banks, and gaming sectors in over 100 countries, with China, the US, Canada, and Germany facing the most attacks. The botnet uses various DDoS methods, including UDP, SYN, and ACK floods, leveraging UDP spoofing to amplify attacks.

Capable of operating across multiple CPU architectures, GorillaBot also exploits a known Apache Hadoop YARN flaw for remote code execution. Persistence is maintained via systemd services and modified startup files.

NSFOCUS notes the botnet’s sophisticated encryption methods and evasion tactics, linking them to the Keksec group. However, security researchers suggest GorillaBot has been active for over a year.

Attackers are trying to exploit critical KerioControl vulnerability CVE-2024-52875

Hackers are exploiting CVE-2024-52875, a critical CRLF injection vulnerability in GFI KerioControl firewalls that enables 1-click remote code execution (RCE). The flaw, disclosed by security researcher Egidio Romano in December 2024, affects versions 9.2.5 to 9.4.5 and stems from improper sanitisation of the ‘dest’ parameter, allowing malicious payloads in HTTP responses.

Attackers can inject JavaScript to extract cookies or CSRF tokens from victim browsers. Using an authenticated admin’s CSRF token, they can upload a malicious .IMG file to gain root-level access via Kerio’s upgrade function, opening a reverse shell.

Greynoise has detected active exploitation attempts from multiple IP addresses, while Censys reports over 23,000 internet-exposed KerioControl instances. GFI Software has issued a patch (9.4.5 Patch 1), urging immediate updates.

Admins unable to patch should restrict web interface access to trusted IPs, disable public access to '/admin', and monitor the ‘dest’ parameter for anomalies.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.