Threat Research

Securonix Threat Labs Monthly Intelligence Insights – January 2025

Securonix
Securonix Threat Labs Monthly Intelligence Insights – January 2025

The Monthly Intelligence Insights report for November 2024 by Securonix Threat Labs highlights critical cybersecurity threats, incidents, and responses, including notable breaches involving Cyberhaven and the exploitation of Ivanti vulnerabilities. Organizations are urged to enhance their security measures, such as updating software and implementing more vigilant monitoring systems. Affected: Cyberhaven, Ivanti, healthcare, finance, national security, government, energy, telecommunications, defense, engineering

Keypoints :

  • Securonix identified 1,892 TTPs and IoCs, 121 emerging threats, and investigated 91 potential threats in November 2024.
  • Cyberhaven suffered a breach due to a phishing attack leading to a malicious browser extension publication.
  • The compromised extension exfiltrated sensitive data to a command-and-control domain.
  • Organizations using Cyberhaven DLP solutions are urged to update to version 24.10.5+ to mitigate risks.
  • Ivanti vulnerabilities CVE-2025-0282 and CVE-2025-0283 allow for remote code execution and privilege escalation.
  • Threat actors are using advanced social engineering and custom malware, particularly in ransomware attacks, targeting high-value sectors.
  • Ransomware groups FunkSec, Nnice, HellCat, and Morpheus are becoming increasingly sophisticated in their tactics.
  • It is essential to implement robust email filtering and continuous monitoring for signs of compromise across all endpoints.

MITRE Techniques :

  • Phishing (T1566) – Used to compromise Cyberhaven’s Chrome Web Store administrative account.
  • Data Exfiltration Over Command and Control Channel (T1041) – Compromised data was sent to cyberhavenext[.]pro.
  • Security Software Discovery (T1063) – Attackers monitored security measures through OAuth requests and permission modifications.
  • Process Hollowing (T1055) – Used by FunkSec and others to execute malicious code without detection.
  • Credential Dumping (T1003) – Targeted by threats like TA397 to extract sensitive information.
  • Remote File Copy (T1105) – Employed by ransomware groups to deploy their payloads across systems.

Indicator of Compromise :

  • [Domain] cyberhavenext[.]pro
  • [Ip Address] 136[.]244[.]115[.]219
  • [Domain] supportchromestore[.]com
  • [Domain] forextensions[.]com
  • [Domain] checkpolicy[.]site

Full Story: https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-january-2025/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint