Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Researchers Disclose CVE-2025-32462 and CVE-2025-32463 in Sudo Affecting Linux and macOS: No Active Exploitation - On 30 June 2025, researchers from Stratascale's Cyber Research Unit disclosed two local privilege escalation vulnerabilities that can affect the Sudo utility, impacting both Linux and MacOS systems. These vulnerabilities, tracked as CVE-2025-32462 and CVE-2025-32463, can potentially impact a range of common Linux distributions, such as Red Hat, Ubuntu, and Debian and others.
Currently systems that are running Sudo versions 1.8.8 through 1.9.17 are vulnerable. To address the issue, users are advised to upgrade to version 1.9.17p1, which contains fixes for both flaws. Researchers have confirmed successful exploitation during testing on Ubuntu and macOS, however no active exploitation has been detected in the wild at this stage.
As no workarounds are available, organisations should apply the patch to prevent potential abuse, particularly in environments where local user access cannot be fully controlled.
China-Linked Houken Intrusion Set Targets French Organizations via Exploitation of Ivanti Vulnerabilities (CVE-2024-8190, 8963, 9380) - On 1 July 2025, the French National Cybersecurity Agency (ANSSI) disclosed details of an intrusion set referred to as "Houken", which exploited three vulnerabilities—CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—in Ivanti Cloud Service Appliance (CSA) devices.
The activity, observed between September and November 2024 has targeted key French organisations, including government, media, finance, transport, and telecommunications. The attackers leveraged the vulnerabilities to gain initial access, establish persistence, and exfiltrate sensitive data from compromised systems.
Based on similarities in tactics, techniques, and procedures, ANSSI has attributed the campaign to UNC5174, a threat group aligned with Chinese state interests.
CVE-2025-7031 Enables Unauthorized Access to Configuration Data via Flawed Drupal Configuration Pages Viewer Module; No Active Exploitation Observed - On 2 July 2025, Drupal Connect disclosed CVE-2025-7031, a critical access bypass vulnerability affecting the Config Pages Viewer module for Drupal in versions prior to 1.0.4. Drupal, an open-source content management system (CMS), is widely used to develop websites and web applications.
The vulnerability arises from insufficient input validation. This allows unauthorised users to access configuration pages due to missing permission and entity access checks. This flaw could enable threat actors to view sensitive configuration data without proper authorisation.
Although there is currently no evidence of active exploitation in the wild, organisations are strongly advised to upgrade to version 1.0.4 in order to mitigate potential risk.
Potential Threats
Ongoing LogoKit-Based Phishing Campaign Impersonates Global Brands - On 7 July 2025, Cyble reported an ongoing credential-phishing campaign being carried out by unidentified threat actors targeting organisations across several countries. The threat actors are currently impersonating a range of entities, including Hungary's Computer Emergency Response Team (HunCERT), Kina Bank in Papua New Guinea, the Catholic Church in the United States, and logistics companies in Saudi Arabia.
The campaign relies on the LogoKit phishing kit to dynamically reproduce branding across multiple phishing pages, which are hosted on Amazon S3 infrastructure. These pages are designed to exfiltrate user credentials to the domain mettcoint[.]com, which has been associated with phishing activity since at least February 2025 and remained undetected on OSINT sites like VirusTotal at the time of reporting.
Victims are directed to fraudulent login pages that mimic legitimate portals, with the victim's email address prefilled in the username field to enhance credibility. The phishing pages make use of Clearbit and Google S2 Favicon services to automatically fetch relevant brand logos and icons, and incorporate Cloudflare Turnstile to simulate a secure login process. When a password is entered, the credentials are exfiltrated to mettcoint[.]com endpoints, including /js/error-200.php and /css/nk/error-404.php, after which a false error message is displayed to the user. Notably, the same infrastructure also hosts a phishing page impersonating the file-sharing service WeTransfer, suggesting that the attackers are specifically targeting users expecting secure document transfers.
NightEagle Exploits Microsoft Exchange Servers to Exfiltrate Mailbox Data from Chinese Organisations - Since 2023, a previously undocumented threat group known as NightEagle (APT-Q-95) has targeted Chinese organisations in the government, military, AI, quantum technology, and semiconductor sectors. According to a 4 July 2025 report by QiAnXin's RedDrip Team, the group is assessed with moderate confidence to be state-sponsored and likely based in North America, based on operational patterns and infrastructure.
NightEagle exploited an unpatched vulnerability in Microsoft Exchange Server to gain initial access, extracting the server's machineKey to enable unauthorised deserialization and remote code execution. The group then deployed a memory-resident trojan via a .NET loader embedded in Exchange's Internet Information Services (IIS), allowing stealthy, fileless access without writing to disk.
To maintain persistence, a modified version of the Chisel tunnelling tool (SynologyUpdate.exe) was installed as a scheduled task, establishing a SOCKS proxy to attacker-controlled infrastructure. The group's primary objective was to exfiltrate mailbox data, with access to compromised Exchange Servers maintained for nearly a year.
Server-Side Template Injection Vulnerability in Tiki Wiki CMS Allow Authenticated Users to Execute Arbitrary Code on Server; No Active Exploitation Observed - On 8 July 2025, Karma Insecurity disclosed CVE-2025-32461, a server-side template injection (SSTI) vulnerability affecting Tiki Wiki CMS Groupware versions 28.3 and earlier. Tiki is an open-source web application combining wiki, content management, and groupware functionality. There is currently no evidence of active exploitation in the wild.
The flaw stems from unsafe use of the PHP eval() function, which likely enables attackers to execute arbitrary PHP code through inadequate input validation in the customsearch and includetpl components. Organisations are advised to upgrade to Tiki Wiki CMS Groupware version 28.4 to mitigate the risk.
General News
CISA Adds Four Vulnerabilities to KEV Catalog Affecting MRLG, PHPMailer, Rails, and Zimbra - On 7 July 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue following evidence of active exploitation. The affected software includes Multi-Router Looking Glass (MRLG), PHPMailer, Ruby on Rails, and Synacor Zimbra Collaboration Suite (ZCS).
The issues comprise a buffer overflow in MRLG (CVE-2014-3931) allowing arbitrary memory writes, a command injection flaw in PHPMailer (CVE-2016-10033) via crafted Sender fields, a path traversal vulnerability in Ruby on Rails Action View (CVE-2019-5418) enabling disclosure of unintended files, and a server-side request forgery (SSRF) vulnerability in ZCS ProxyServlet (CVE-2019-9621).
Organisations using these products are strongly advised to apply relevant patches promptly to mitigate ongoing risks.
Hunters International Ransomware Group Announces Shutdown - On 7 July 2025, SecurityWeek reported that the Hunters International ransomware group had ceased operations, citing increased law enforcement pressure and declining profitability. The group announced its shutdown on 3 July via its dark web portal, offering free decryption tools to affected organisations.
Hunters International, believed to be a rebrand of the Hive ransomware group, emerged in late 2023 and claimed around 300 victims worldwide. An April 2025 report by Group-IB, referenced in a prior Insikt Analyst Note, indicated the group had begun shifting to extortion-only attacks under the name "World Leaks." Active since January 2025, World Leaks exemplifies a wider trend among threat actors moving from file encryption towards data theft for extortion.
Critical Cisco Vulnerability in Unified CM Grants Root Access via Static Credentials - Cisco has issued security updates to address a critical vulnerability in Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME) that could allow an attacker to gain root-level access to affected devices. Tracked as CVE-2025-20309 with a maximum CVSS score of 10.0, the flaw arises from hard-coded credentials intended for development use, which should never be present in production systems.
Exploitation would enable an attacker to log in as root and execute arbitrary commands, potentially allowing them to move laterally within the network, intercept calls, or alter user authentication. The vulnerability affects Unified CM and Unified CM SME versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of configuration.
Cisco discovered the issue during internal security testing and has found no evidence of active exploitation. The vendor also released indicators of compromise, noting that successful attacks generate log entries for the root user in "/var/log/active/syslog/secure," retrievable via the command-line interface.
This disclosure closely follow two other recent critical vulnerabilities in Cisco's Identity Services Engine and Passive Identity Connector (CVE-2025-20281 and CVE-2025-20282), which similarly allowed unauthenticated root command execution.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueBravo | ● High | → | ● High | ● 88 | → | ● 87 | ● 25 | → | ● 25 |
| BlueDelta | ● High | → | ● High | ● 88 | → | ● 86 | ● 25 | → | ● 25 |
| Luna Moth | ● New | → | ● Basic | ● New | → | ● 45 | ● New | → | ● 30 |
| Oxfluxsec | ● New | → | ● Basic | ● New | → | ● 30 | ● New | → | ● 5 |
| Nitrogen Ransomware Group | ● Basic | → | ● Basic | ● 45 | → | ● 35 | ● 49 | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Safepay Ransomware Group | ▲ |
Ransomware |
▲ | CVE-2025-32463 | ▲ |
Conglomerate |
▲ |
|
APT36 |
▲ |
Zero Day Exploit |
▲ | CVE-2025-6019 | ▲ |
Pharmaceuticals and Biotechnology |
▲ |
|
Side Copy |
▲ |
Remote Code Execution |
▲ | CVE-2014-0160(HeartBleed) | ▲ |
Ingram Micro |
▲ |
|
TAG-140 |
▲ |
T1190 (Exploit Public-Facing Application) |
▲ | CVE-2025-7327 | ▲ |
Manufacturing |
▲ |
|
Gadji |
▲ |
C&C Server |
▲ |
CVE-2025-38237 |
▲ |
Central Bank |
▲ |
Prominent Information Security Events
Houken Intrusion Set Targets French Critical Sectors via Ivanti CSA Vulnerabilities
Source: Insikt Group | Validated Intelligence Event
IOC: IP – 198[.]98[.]54[.]209
IOC: SHA1 – ebe6068e2161fe359a63007f9febea00399d7ef3
IOC: CVE-2024-8190
On 1 July 2025, the French National Cybersecurity Agency (ANSSI) reported on "Houken," an intrusion set linked to the China-aligned threat group UNC5174. Active between September and November 2024, Houken targeted organisations in France's government, media, finance, transport, and telecoms sectors. The campaign exploited vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices—specifically CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—to achieve initial access and facilitate long-term data exfiltration.
The infection chain began with code execution through the Ivanti CSA flaws, followed by a base64-encoded Python script that extracted encrypted admin credentials from a local PostgreSQL database. Persistence was established using modified PHP scripts and custom webshells—such as /rc/help[.]php—often derived from open-source tools like Neo-reGeorg and Behinder. In one case, a kernel-mode rootkit (sysinitd[.]ko) was deployed via shell script to hijack inbound TCP traffic and allow root-level remote command execution.
Command-and-control was maintained via GOREVERSE and suo5 backdoors, deployed from VPS infrastructure hosted by providers such as HOSTHATCH and ColoCrossing. Threat actors accessed systems using commercial VPN services, including NordVPN, Proton VPN, and Surfshark VPN, to obscure attribution. Post-compromise activity included lateral movement, credential harvesting, Monero mining, and exfiltration of sensitive data. Previous Insikt reporting has provided further context on UNC5174's TTPs.
NightEagle Intrusion Set Targets Chinese Strategic Sectors via Microsoft Exchange Vulnerability
Source: QiAnXin RedDrip Team | Validated Intelligence Event
IOC: SHA256 – 100842fb2e5fc92f4716ef5559cb274572eb451d79ea263d121ec658a96054e9
IOC: MD5 - dce251f0d856acb156ec0e1424b5d994
IOC: Domain – liveupdate[.]wsupdatecloud[.]net
On 4 July 2025, QiAnXin's RedDrip Team released findings on "NightEagle," a previously unreported threat group designated APT-Q-95. The group has been active since at least 2023 and is assessed with moderate confidence to be state-sponsored and likely based in North America. NightEagle's targeting has focused exclusively on Chinese organisations across critical sectors such as government, military, artificial intelligence, quantum technology, and semiconductors, suggesting a cyber espionage mandate.
Initial access was obtained via an undisclosed vulnerability in Microsoft Exchange Server, allowing NightEagle to extract the server's machineKey and conduct unauthorised deserialization. This led to remote code execution (RCE) and the injection of a memory-resident trojan through a malicious .NET loader (App_Web_cn*.dll) into the Internet Information Services (IIS) layer of Exchange. By operating in memory only, the malware avoided detection through traditional file-based security mechanisms.
Persistence was achieved through a customised version of Chisel (renamed SynologyUpdate.exe) deployed as a scheduled task that triggered every four hours. This implant established a SOCKS proxy back to attacker-controlled infrastructure via domains such as iveupdate.wsupdatecloud.net, which resolved to US-based IP addresses during active sessions. The command-and-control (C2) setup enabled encrypted data tunnelling and long-term access to victim environments.
NightEagle's primary objective appeared to be email surveillance, with mailbox data exfiltrated from targeted Chinese entities for nearly a year. The operation demonstrated a high level of operational security and strategic targeting consistent with long-term intelligence collection. The group's activity hours, consistent infrastructure use, and exclusively China-focused operations support the assessment of a North American origin.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-32462 and CVE-2025-32463: To mitigate the risk of exploitation, it is advised to update Sudo to version 1.9.17p1 or later, as detailed in the vendor's advisory.
- CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380: Organizations should apply the available patches for Ivanti Cloud Services Appliance to secure their systems against these vulnerabilities. Given the active exploitation of these vulnerabilities, timely updates are crucial.
- CVE-2025-7031: Immediate installation of the recommended patches is critically advised due to the identified vulnerabilities associated with this CVE.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.