eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Exploit Released for Ivanti Zero-Day Vulnerabilities
Bottom Line: Ivanti has released an advisory addressing two critical zero-day vulnerabilities within Ivanti Endpoint Manager Mobile (EPMM), which when chained together, can lead to unauthenticated Remote Code Execution (RCE). As there is publicly available Proof-of-Concept exploit code and reports of exploitation, organizations should apply the recommended security patches as soon as possible.
On May 13th, Ivanti disclosed two zero-day vulnerabilities that impact Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, Ivanti confirmed that attacks involving exploitation of both vulnerabilities occurred prior to the release of security patches and impacted “a very limited number of customers”.
The vulnerabilities are tracked as follows:
- CVE-2025-4427 (CVSS: 5.3) - An authentication bypass vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials
- CVE-2025-4428 (CVSS: 7.2) - A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system
When chained together, these two vulnerabilities would allow remote threat actors to access vulnerable EPMM instances and execute arbitrary commands without authentication. Ivanti has not shared specific details on real-world attacks but confirmed that the vulnerabilities were paired together in identified attacks.
On May 15th, researchers from watchTowr Labs released a technical report on CVE-2025-4427 and CVE-2025-4428. This report included functional Proof-of Concept (PoC) exploit code, simplifying the attack process for other threat actors.
In response to the publication of PoC exploit code, eSentire released a public security advisory, and created new detections for the activity in eSentire MDR for Network. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable assets.
eSentire Threat Intelligence Analysis:
As exploitation of these vulnerabilities is ongoing, and PoC exploit code is available, it is critical that organizations using Ivanti EPMM apply the relevant security patches immediately. Ivanti EPMM is used to manage enterprise mobile devices and includes the ability to connect to backend servers, change policy requirements, and install applications; as such, malicious use of the tool could impact a large number of devices, raising the criticality of the pair of vulnerabilities. Additionally, the release of PoC exploit code significantly lowers the barrier of entry for less skilled threat actors to exploit the vulnerabilities. Due to these factors, the eSentire Threat Intelligence team assesses with high confidence that these CVE-2025-4427 and CVE-2025-4428 will have an increased adoption by threat actors and exploitation attempts in the wild will increase in the near-term.
The vulnerability chain demonstrates how seemingly moderate-severity issues can combine to create a critical security risk when chained together. As individual vulnerabilities, neither are highly concerning. When CVE-2025-4427 and CVE-2025-4428 are paired together, threat actors can bypass authentication and execute commands, allowing for a range of malicious activities. Vulnerability and patch management services can assist organizations in quickly identifying and remediating these threats. Vulnerabilities that are confirmed to be exploited, and those in Internet facing applications should be prioritized for immediate remediation.
APT28: Operation RoundPress
Bottom Line: ESET released a report providing details on a long-running campaign observed since 2023, attributed to the Russian state-sponsored group APT28. The campaign involved the exploitation of vulnerabilities within webmail servers, leading to the deployment of malware and theft of sensitive information.
On May 15th, ESET published a report uncovering an espionage campaign, dubbed Operation RoundPress, led by the Russia-linked espionage threat group APT28 (aka Sednit, Fancy Bear, Strontium/Forest Blizzard, Fighting Ursa, Pawn Storm, or Sofacy). The campaign has been active since 2023, exploiting Cross Site Scripting (XSS) vulnerabilities in the webmail servers. The attackers targeted the high value, vulnerable webmail servers such as RoundPress and MDeamon to exfiltrate sensitive data including user credentials, confidential contracts, and email messages from the compromised mailbox. The campaign majorly impacted the government entities and defense organizations in Eastern Europe with some victims also observed to be from Africa, Europe, and South America.
APT 28 has been operating since 2004 and is associated with the Russian military intelligence. It is known to have engaged in cyber espionage activities serving interests of Russia. The group is attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) military intelligence Unit 26165.
Operation RoundPress began in 2023 with the exploitation of a known XSS vulnerability, CVE-2020-35730 impacting the webmail server Roundcube. The attackers were observed sending spear-phishing emails that contained a malicious JavaScript exploit. The operation continued in the similar fashion exploiting XSS vulnerabilities in the webmail servers Horde, MDaemon, and Zimbra in 2024. ESET reported that the group discovered a zero-day XSS vulnerability in MDaemon, identified as CVE-2024-11182, which has since been patched. In contrast, the vulnerabilities exploited in other servers were already publicly known. In 2024, the group started exploiting another XSS vulnerability, CVE-2023-43770 in the Roundcube Email Server. For the exploit to run successfully, the users were required to open the phishing email in the vulnerable webmail portal.
The campaign was observed to use different JavaScript payloads for different email servers namely, SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.Zimbra, and SpyPress.Roundcube. The exploits reloaded each time the victim opened the malicious email, ensuring attackers’ persistence. The SpyPress payloads had the ability to steal webmail credentials, gather email messages and contact details from the victim's mailbox, and exfiltrate the collected data to a Command-and-Control (C2) server using HTTP POST requests. The payloads also extracted browser data, such as login history and Two-Factor Authentication (2FA) secrets.
eSentire Threat Intelligence Analysis:
APT28 is well-known for its campaigns supporting Russian military’s interests. Some of the activities the group has been involved in include World Anti-Doping Agency (WADA) data leak in 2016 and influence operations targeting democratic elections in the United States, France, and Germany in 2016. Amid Russia-Ukraine war, the group has launched multiple attacks targeting Ukraine's government and military entities. Soon after the commencement of the war in February 2022, APT28 targeted State Migration Service of Ukraine by exploiting CVE-2023-23397 impacting Microsoft Outlook. These activities highlight the group's motivation for cyber espionage and suggest ongoing efforts that are likely to continue serving the interests of its regime.
Operation RoundPress highlighted the group's preference for exploiting XSS vulnerabilities in widely used webmail servers to target entities of national significance. The expansion of targeted applications from Roundcube to multiple other email servers suggests that the group likely continued using the tactic of exploiting XSS vulnerability, due to its consistent success throughout 2023. Although the operation heavily relied on exploiting XSS vulnerabilities, APT28 has previously leveraged other flaws such as CVE-2017-6742 and CVE-2023-23397, indicating their capability to operationalize a wide range of vulnerabilities to achieve their espionage objectives.
Operation RoundPress employed spear-phishing as the initial access vector, followed by the deployment of XSS exploit payloads designed to steal sensitive data and exfiltrate it to a C2 server. Organizations are recommended to educate employees on phishing attacks and their consequences by conducting Phishing Security and Awareness Trainings (PSATs). It is essential for executive-level employees to be able to recognize and report phishing emails, as spear-phishing attacks often focus on high-ranking personnel within an organization. An effective vulnerability and patch management system is crucial for preventing the exploitation of known vulnerabilities in applications hosted within the network. Organizations should also implement robust Endpoint Detection and Respond (EDR) solutions to identify threats such as information stealers and contain them to avoid data exfiltration.
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2020-35730 and CVE-2023-43770. eSentire MDR for Network has detections in place to identify malicious activities associated with CVE-2020-35730 and CVE-2023-43770.
LockBit Ransomware Gang Hacked
Bottom Line: The LockBit ransomware group recently experienced a data breach that revealed confidential details about their operations, including victim negotiations and information about their administrators and affiliates. This incident could damage the group's reputation and drive affiliates toward alternative Ransomware-as-a-Service options.
LockBit is a ransomware group, operating under a Ransomware-as-a-Service (RaaS) model, which first appeared in September 2019. LockBit operators have released several updated versions of the ransomware since its release, with the latest version (LockBit 4.0) reportedly having been released in February 2025. In February 2024, LockBit was disrupted by Operation Cronos, an international law enforcement operation led by the UK's National Crime Agency (NCA) and the US's Federal Bureau of Investigation (FBI). However, LockBit was able to restore services days after the disruption.
On May 7th, 2025, a threat actor named Rey posted on their X account, providing a screenshot showing that the Dark Web data leak site for the LockBit ransomware group was defaced. The data leak site displayed the message “Don’t do crime CRIME IS BAD xoxo from Prague” and contained a URL to an SQL database dump from LockBit's affiliate panel database. Analysis of the leaked SQL data showed that it contains 20 tables, which notably include over 59,000 unique Bitcoin addresses, and a ‘chats’ table that contains over 4000 victim negotiation messages, which took place between December 2024 - April 2025. The leaked data also includes information on over 70 LockBit administrators and affiliates, plaintext passwords, and “individual builds and configurations of the LockBit ransomware code”.
Analysis on the leaked data by Qualys highlight a “consistent playbook of weaponized vulnerabilities” used by affiliates for initial access. Methods observed for initial access include exploitation of critical vulnerabilities found in Citrix, Apache, Microsoft, SonicWall, Fortinet, and Ivanti edge devices, as well as weak or default credentials being used. Qualys also noted that the negotiation chat logs revealed a “broader scope of targeted systems and tools”, with attackers targeting Veeam Backup software, VMWare and vCenter servers, and abuse of file transfer tools, such as FileZilla and WinSCP.
On May 8th, SlowMist provided details on a statement released by LockBit operators, who claimed that while the database was stolen, no decryptors or sensitive data from victim organizations was involved. LockBit operators confirmed that they were investigating the intrusion method used by the attackers and have initiated their rebuild process. The operators have also issued a bounty, stating that they are “willing to pay” for “accurate and reliable information” on the attacker.
eSentire Threat Intelligence Analysis:
LockBit ransomware has been reported to be one of the most popular RaaS operations used by threat actors since its introduction to the ransomware landscape. In 2022, CISA reported that LockBit was the most active global ransomware group, and Trend Micro indicated that its popularity continued in 2023. Even after its disruption in 2024 through Operation Cronos, LockBit was reported by Cisco Talos as the top RaaS group in 2024 but noted that the RansomHub RaaS group was also growing in popularity. However, the recent breach of their systems may impact LockBit's reputation and affiliate trust, which may open the door for another RaaS operation to take its top spot.
eSentire’s Threat Intelligence team has reviewed recent statistics on ransomware group activity from Ransomware Live, ranking various groups according to the number of posts made to data leak sites, over the past 30 days. At the time of writing, LockBit no longer ranks in the top ten ransomware groups. It should be noted that this data only incorporates ransomware victims that did not pay a ransom, and as such, LockBit may be underrepresented.
In April 2025, the Everest ransomware group had their data leak website compromised in a similar manner, with the attacker leaving the exact same message as the one observed on LockBit's data leak site. Notably, there were no reports of leaked data relating to the Everest ransomware group during this attack. There are currently no details on the threat actors behind these attacks, but the messages left on the data leak sites suggest that they may be related. The LockBit data leak is also not the first time that a ransomware group has had private information leaked, with examples including the Conti ransomware and Black Basta chat leaks, which also provided insight into the operation of these ransomware groups.
Within their analysis of the leaked negotiation chat logs, Qualys noted that LockBit operators offer ransom payments to be made in Monero and Bitcoin. The leaked logs reveal that attackers have offered discounts on ransom payments of up to 20% for victims who pay in Monero instead of Bitcoin. As Monero allows for private and untraceable transactions, compared to Bitcoin transactions which are traceable, its usage by LockBit may signal a new trend.
Additional findings within the leaked LockBit chat logs, threat actors have been exploiting critical vulnerabilities and weak security hygiene as a means for initial access. Organizations are strongly urged to ensure that security patches for critical devices are applied within a timely manner, and to enforce strong passwords and Multi-Factor Authentication (MFA) on all user accounts. Organizations should also deploy Endpoint Detection and Response (EDR) tools, which can help detect and prevent threats. eSentire MDR for Network and Endpoint have detections in place to identify activity relating to LockBit ransomware.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
