eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Zero-Day Vulnerability in SonicWall
Bottom Line: SonicWall has been advised of the possible exploitation of CVE-2025-23006. Information on real-world attacks and exploitation of the vulnerability is currently limited. It is critical that organizations deploy security patches and follow remediation guidance as soon as possible.
On January 22nd, SonicWall disclosed the existence of a critical vulnerability in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). The vulnerability is tracked as CVE-2025-23006 (CVSS: 9.8); it is a pre-authentication deserialization of untrusted data vulnerability, which in specific conditions may result in arbitrary Operating System (OS) command execution. AMC and CMC versions 12.4.3-02804 and earlier are impacted.
According to SonicWall’s release notes, “SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors”. The advisory does not provide any other details on real-world attacks involving CVE-2025-23006.
Security patches to address CVE-2025-23006 were released alongside the vulnerability disclosure. Additionally, SonicWall has recommended that all organizations restrict access to Appliance Management Consoles and Central Management Consoles to trusted sources only.
eSentire Threat Intelligence Analysis:
As exploitation is believed to be ongoing, it is critical that organizations apply the relevant security patches (version 12.4.3-02854 or higher) and mitigations immediately. As CVE-2025-23006 offers unauthenticated OS command execution, it allows adversaries to establish an initial foothold into victim organizations and offers a high-value for threat actors. By restricting access to management consoles, the threat of exploitation is minimized, as threat actors would first need to compromise a user machine with access to the management console.
CVE-2025-23006 was reported to SonicWall by Microsoft’s Threat Intelligence Center. While Microsoft has not shared technical details at the time of writing, it is probable that Microsoft will release additional information, including real-world attacks, in the near future.
At this time, it is probable that exploitation is limited to a single threat actor group; if Proof-of-Concept (PoC) exploit code is released, it will be adopted by additional groups, leading to widespread attacks. As security patches have been released, the threat actor group currently carrying out attacks may choose to increase activity, in an attempt to gain initial access to as many organizations as possible before vulnerable devices are remediated. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
Two Ransomware Campaigns using Email Bombing Techniques
Bottom Line: Email bombing campaigns have been observed that are linked to threat groups involved with deploying Black Basta ransomware. The attack involves sophisticated social engineering, leading to the deployment of legitimate but misused tools for persistence, before ransomware deployment.
On January 21st, Sophos X-Ops MDR released a report on two distinct ransomware campaigns leveraging Microsoft Office 365 platforms. These campaigns, tracked under the threat clusters STAC5143 and STAC5777, employed tactics such as email bombing and Teams vishing to gain access, deploy malware, and steal sensitive data from targeted organizations. Common tactics used by both threat clusters include email bombing (sending high volumes of spam emails, as many as 3,000 in less than an hour, to overwhelm targeted Outlook mailboxes and create a sense of urgency), sending Teams messages and initiating Teams voice and video calls from adversary-controlled Office 365 instances, posing as internal tech support, and using Microsoft remote control tools (Quick Assist or Teams screen sharing) to take control of targeted devices and deploy malware.
In the first campaign, STAC5143 employs Teams’ built-in remote control features and uses a Java Archive (JAR) and Java runtime to exploit the victim’s computer. The attacker deploys a Python-based backdoor extracted from a .zip file hosted on a remote SharePoint link. STAC5777, while similar in initial tactics to STAC5143, relies more on hands-on-keyboard actions. The threat actor uses Microsoft Quick Assist to establish remote access and then walks the victim through the installation of remote access tools to gain control of the targeted system. This cluster also deploys a legitimate Microsoft updater, which side-loads a malicious DLL to maintain persistence, steal credentials, and discover network resources. It has also been observed using RDP and Windows Remote Management for lateral movement across compromised networks. One of the incidents involved the deployment of Black Basta Ransomware, showcasing the threat actor's intention to deliver ransomware.
eSentire Threat Intelligence Analysis:
Attackers are increasingly targeting widely used enterprise software suites, exploiting the trusted nature of these platforms to bypass security defenses. The tactics employed by two ransomware groups highlight how adversaries are diversifying their approaches to social engineering. Furthermore, both ransomware campaigns demonstrate a growing level of sophistication in malware deployment. The combination of these techniques with ransomware payloads indicates that these threat actors are adopting a more strategic approach to compromising organizations.
The eSentire Threat Intelligence team recently identified an email bombing attack involving a Microsoft Teams call, which led to the installation of TeamViewer and a search for QuickAssist. The attack included the use of XenAllPasswordPro and PowerShell to drop a .NET DLL for suspected reverse proxy activities as well as Active Directory domain reconnaissance. One of the key takeaways from these incidents is the critical role of cybersecurity awareness training. Educating employees about the various forms of social engineering attacks, such as vishing, and empowering them to report suspicious activities can significantly reduce the likelihood of successful breaches. Additionally, organizations can prevent the abuse of Microsoft teams in this context, by blocking external Microsoft tenants, if not required for legitimate business purposes. By following the principle of least privilege, organizations can help limit the potential impact of a security breach. This can be accomplished by restricting access to sensitive systems and resources only to those individuals who require it for their job functions.
In response to the release of this report, the eSentire Threat Intelligence team is performing Indicator-based threat hunts and is investigating new detection opportunities. eSentire MDR for Network and Endpoint have a variety of rules in place to detect activity associated with Black Basta ransomware deployment. For additional insights into how threat actors are exploiting legitimate Remote Monitoring and Management tools, the eSentire Threat Intelligence team has provided an in-depth analysis in the October eSentire TRU Intelligence Briefing webinar.
North Korean IT Workers Conducting Data Extortion
Bottom Line: North Korean threat actors are continuing to succeed in obtaining positions at American IT companies, allowing them to leverage the access to gather and exfiltrate sensitive data that can be monetized through a ransom demand.
On January 23rd, the Federal Bureau of Investigation (FBI) shared new details on recently observed Remote IT Worker campaigns, attributed to the Democratic People’s Republic of Korea (DPRK), that have impacted U.S. based organizations. Remote IT worker campaigns involve malicious actors posing as foreign workers applying for remote IT positions. Threat actors employ either false or stolen identities, in order to pose as legitimate job seekers and gain employment. Following successful employment, attackers have been identified using proxy actors, in the location of the impersonated/fake employee, to receive work assets and install remote access software. The remote workers may then complete job functions while also exfiltrating data from the organization.
According to the FBI, in recent months, North Korean actors have carried out remote IT worker campaigns against multiple U.S. organizations. These attacks have resulted in the theft of sensitive information, facilitating other cyber-criminal activity, and direct revenue generation from employee salaries.
The FBI report includes one notable update to this activity; recent attacks have adopted extortion tactics. In cases where the remote IT worker is identified as a rouge actor, they extort victims, holding stolen data or code for a ransom demand.
The FBI has provided recommendations for both data monitoring best practices and strengthening remote-hiring positions:
Data Monitoring:
- Practice the Principle of Least Privilege on your networks
- Monitor and investigate unusual network traffic, to include remote connections to devices or the installation/presence of prohibited remote desktop protocols
- Monitor network logs and browser session activity to identify data exfiltration
- Monitor endpoints for the use of software that allows for multiple audio/video calls to take place concurrently
Remote-Hiring Process:
- Implement identity-verification processes during interviewing, onboarding, and throughout the employment of any remote worker
- Educate HR staff, hiring managers, and development teams regarding the North Korean IT worker threat
- Review each applicant's communication accounts as North Korean IT workers have reused phone numbers and email addresses
- Verify third-party staffing firms conduct robust hiring practices
- Use "soft" interview questions to ask applicants for specific details about their location or education background
- Check applicant resumes for typos and unusual nomenclature
- Complete as much of the hiring and onboarding process as possible in person
eSentire Threat Intelligence Analysis:
According to a 2024 U.S. indictment, North Korean remote IT worker schemes have generated at least $88 million over the past six years. With the recent growth of remote work, especially in IT related roles, organizations need to implement improved verification steps for role candidates. Additionally, it is important to ensure that capabilities are in place to identify potential insider threats.
North Korean threat actors remain highly active, carrying out campaigns for both monetary gain and espionage purposes. Remote IT worker campaigns may be highly effective for both causes, as access to corporate assets is directly granted to threat actors, allowing for the theft of sensitive data. Payment to North Korean workers allows for fund generation while bypassing existing sanctions. In addition to direct payment for the role, North Korean threat actors also monetize stolen data through extortion demands. Money raised in these schemes directly funds the North Korean state and stolen data may relate to espionage or be employed in future campaigns.
North Korean actors have a history of job-related attacks. Another major scheme used by North Korean APT groups is dubbed Contagious Interview and involves setting up interviews for fake job positions. During these interviews, developers are instructed to download software required for the interview, which includes malware. eSentire has reported on observations of this threat in Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure and Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2.
eSentire has previously reported on North Korean remote IT worker campaigns in the November 15th and 21st Weekly Threat Briefings, as well as the June 2024 TRU Intelligence Briefing. eSentire maintains a variety of detections for North Korean Tactics, Techniques, and Procedures (TTPs), and the eSentire Threat Intelligence team continues to track related activity.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
