July 31, 2025
Heroes, Good morning. On this Thursday, we are tracking a critical remote code execution vulnerability in a popular enterprise gateway and a new sophisticated phishing campaign targeting corporate credentials.
Date & Time: 2025-07-31 09:00:00 UTC
Summary & Significance: Ivanti has issued an urgent warning about a critical remote code execution vulnerability (CVE-2024-22052) in its Sentry gateway product. The flaw is being actively exploited in the wild as a zero-day. Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system, providing a direct entry point into corporate networks. Given Ivanti's prevalence in enterprise environments, immediate patching and hunting for signs of compromise are critical.
CVEs: CVE-2024-22052
Source: BleepingComputer
Date & Time: 2025-07-31 12:30:00 UTC
Summary & Significance: A highly sophisticated phishing-as-a-service (PhaaS) platform known as 'Tycoon 2FA' is enabling widespread attacks against corporate Microsoft 365 and Google Workspace accounts. The kit is notable for its ability to bypass multi-factor authentication (MFA) by using an adversary-in-the-middle (AiTM) approach to steal session cookies. This lowers the barrier to entry for attackers and poses a significant threat to organizations that rely on MFA as a primary defense.
Source: The Hacker News
Date & Time: 2025-07-30 17:00:00 UTC
Summary & Significance: CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are under active attack. The flaws affect D-Link's DIR-867 routers and SAP's NetWeaver AS for Java. Federal agencies are required to patch these vulnerabilities by mid-August, and private sector organizations are strongly encouraged to do the same. The inclusion in the KEV catalog highlights these as priority issues for patch management programs.
Source: SecurityWeek
Date & Time: 2025-07-29 15:00:00 UTC
Summary & Significance: The United States, along with key international partners, has formally attributed a broad and ongoing cyber espionage campaign to actors affiliated with China's Ministry of State Security (MSS). The campaign, known as "Volt Typhoon," targets critical infrastructure sectors including communications, energy, and transportation. This formal attribution signals a coordinated international response and raises the alert level for organizations in these targeted sectors.
Source: Reuters
Date & Time: 2025-07-25 11:00:00 UTC
Insight: This article shifts the executive mindset from cybersecurity (prevention) to cyber resilience (the ability to operate through and recover from an attack). The key takeaway for leaders is that resilience is not just a technical function but a core business strategy. It requires integrating security into business continuity planning, conducting realistic attack simulations, and empowering teams to make decentralized decisions during a crisis. A resilient organization assumes a breach will happen and focuses on minimizing its impact.
Source: Harvard Business Review
Date & Time: 2025-07-22 14:00:00 UTC
Insight: CISOs must now act as educators and translators for the board of directors. The article argues that effective security leaders are those who can demystify complex threats and present cyber risk in the context of business objectives. Instead of presenting raw vulnerability data, the modern CISO should use threat intelligenceālike the 'Tycoon 2FA' phishing kitāto tell a compelling story about potential business impact, guiding the board toward strategic investments in areas like identity security and user training.
Source: McKinsey & Company
ā ļø DISCLAIMER: All tools, commands, and queries provided below are for reference only. Validate in your environment before deployment. Test in safe environment first.
Splunk SIEM Query: Hunts for suspicious commands executed by the Ivanti Sentry service account, which could indicate exploitation.
# Name: Ivanti Sentry Suspicious Process Execution
# Sourcetype: Sysmon (EventCode=1) or Windows Security (EventCode=4688)
(source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
ParentImage="*\\ivanti\\sentry\\*"
| search Image IN ("*\\powershell.exe", "*\\cmd.exe", "*\\sh.exe", "*\\bash.exe", "*\\curl.exe", "*\\wget.exe")
| stats count by _time, host, ParentImage, Image, CommandLine
| rename host as Endpoint, ParentImage as ParentProcess, Image as ChildProcessSuricata IDS/IPS Signature: Detects network traffic patterns associated with the Tycoon 2FA phishing kit's landing pages and reverse proxy infrastructure.
# Name: ET PHISHING Tycoon 2FA Phishing Kit Landing Page
# Description: Detects URI paths and parameters commonly used by the Tycoon 2FA kit.
alert http $HOME_NET any -> $EXTERNAL_NET any ( \
msg:"ET PHISHING Known Tycoon 2FA Phishing Kit Activity"; \
flow:to_server,established; \
http.method; content:"POST"; \
http.uri; pcre:"/\/auth\/login\?session_id=[a-f0-9]{32}/i"; \
http.host; content:".finalstep.live"; dotprefix; \
reference:url,thehackernews.com/2024/07/new-tycoon-2fa-phishing-kit-targets.html; \
classtype:trojan-activity; \
sid:2025073101; rev:1; \
)This rundown should arm you for the day ahead. Thank you to all our cyber heroes for your continued vigilance. Have a great and secure Thursday!