5 min read

Cyber Threat Intelligence Report

Picture of The PacketWatch Intelligence Team The PacketWatch Intelligence Team : November 17, 2025

Threat Intel Biweekly Briefing
Cyber Threat Intelligence Report

 

This week, we briefed our clients on an update to the FBI/CISA #StopRansomware: Akira Ransomware advisory that focused on newly observed campaign TTPs.

 

 KEY TAKEAWAYS 

  • New TTPs revealed by CISA and FBI joint advisory. Learn how to protect your organization.

  • Critical and high-severity vulnerabilities in Fortinet, SAP, and QNAP, plus updates to CISA KEV, patch now!



 

New Akira Ransomware TTPs

On November 13, CISA, the FBI, and other international partners issued updates to their cybersecurity advisory: #StopRansomware: Akira Ransomware. The updates to this advisory include new tactics, techniques, and procedures (TTPs) observed during recent Akira ransomware campaigns. Akira has become one of the most prolific ransomware groups, with over 1100 claimed victims in a variety of industry verticals and countries, and has extorted over $240 million in ransomware proceeds. This article will highlight the newly observed TTPs so organizations can protect themselves against this ever-present and growing threat.

 

Initial Access

 Akira is known for gaining initial access to organizations via compromising VPN devices. This is accomplished either through remote exploitation of known vulnerabilities, or abusing compromised accounts where multi-factor authentication is not configured. Most notably, Akira has been observed heavily targeting CVE-2024-40766, an access control vulnerability in SonciWall SonicOS. The updated TTPs also stress that Akira is heavily leveraging both brute-force attacks against VPNs, as well as compromised accounts via initial access brokers.

 

Persistence and Discovery

This phase of the Akira attack is very standard for most ransomware intrusions. Akira has been observed using techniques such as Kerberoasting to extract stored credentials, as well as common hacking tools such as Mimikatz and LaZagne for privilege escalation. Akira is known to create new domain accounts for persistence. They also use common tools such as SoftPerfect, Advanced IP Scanner, and NetScan to facilitate network discovery.

 

Lateral Movement

Akira abuses known vulnerabilities in backup infrastructure and virtualization environments. For example, Akira has exploited CVE-2023-27532 and CVE-2024-40711 in Veeam products to compromise backups. Akira uses commercial remote access tools such as AnyDesk or LogMeIn, as well as RDP, SSH, and MobaXterm to pivot through the victim network. 

 

Privilege Escalation

One very notable technique leveraged by Akira in recent reports is bypassing Virtual Machine Disk (VMDK) file protection by temporarily powering down the domain controller's VM, copying the VMDK files, and then attaching them to a newly created VM, allowing them to extract the NTDS.dit file and SYSTEM hive. 

 

Command and Control

The updated advisory shows Akira has been observed leveraging Ngrok for establishing encrypted tunnels and bypassing network monitoring. 

 

Execution

One of the more notable updates in this advisory is Akira's ability to encrypt Nutanix AHV VM disk files. Previously, their encryptor only targeted VMware ESXi and Hyper-V virtualization, but this new capability expands the potential impact of their encryption. 

 

Data Exfiltration

Akira is a double-extortion group, where they will steal sensitive data before they trigger encryption. They will then use the threat of publishing the stolen data on their leak page as a second means of extortion. Akira has been observed using common file transfer tools such as FileZilla, WinSCP, and RClone, often sending the stolen data to cloud storage services like Mega. Recent reports show Akira exfiltrating data within two hours of initial access. 

 

How to Protect Your Organization

One thing that stands out about Akira TTPs is the lack of innovation. They do not use 0-days. They do not use custom tooling. Their entire attack lifecycle is extremely straightforward and basic. This means protecting your organization against this threat centers around security best practices:

  • Patching - Akira abuses known and relatively old vulnerabilities. Ensure all internet-facing devices, especially remote access (VPN) devices are fully patched. Ensure critical internal systems such as virtualization infrastructure and backup devices are fully patched.
  • MFAAll VPN accounts need to have MFA. No exceptions. 
  • Compromised Credential Monitoring - Darkweb monitoring services can be an early warning against compromised credential attacks. Any compromised accounts discovered in hacker forums can have credentials rotated and MFA enforced.
  • Attack Surface Management - Ensure unused or unnecessary services are not exposed to the open internet. Only expose what is absolutely necessary for business functions, nothing more. Remote access should be facilitated through VPN (no RDP!).
  • Environment Baselining - Understanding what tools are used in the environment is crucial. Once this baseline is established, any deviation should be immediately investigated. 
  • EDR Everywhere - Fully up-to-date EDR should be deployed to every possible endpoint, no exceptions.
  • Network monitoring - Network monitoring tools such as PacketWatch can be used to detect deviations from baselines (why is there AnyDesk traffic all of a sudden?) and can also monitor for data exfiltration (outbound SFTP or traffic to unauthorized cloud storage sites).

Administrators are strongly encouraged to read the full joint advisory here for a comprehensive list of Akira TTPs. 

 

Resources:

 

 

Vulnerability Roundup

 

Fortinet FortiWeb 0-day

After much speculation, Fortinet has finally confirmed the existence of a 0-day flaw in FortiWeb. Tracked as CVE-2025-64446, the flaw is a path traversal vulnerability in FortiWeb's GUI component, which can allow for unauthenticated attackers to execute administrative commands via HTTP or HTTPS requests. This vulnerability has been confirmed to be exploited in the wild, potentially as far back as early October. Reports like this one from PwnDefend show threat actors are abusing this vulnerability to create local 'admin' user accounts. Administrators are urged to patch immediately. Additionally, per the vendor, it is recommended to that the HTTP/HTTPS Management interface is only accessible internally. Below are the affected versions and their respective fixed versions: 

 

2025-11-14-fortinet

 

PacketWatch query for FortiWeb exploit IOCs:

\*.ip:(107.152.41.19 OR 144.31.1.63 OR 89.169.55.168 OR 185.192.70.33 OR 185.192.70.53 OR 185.192.70.43 OR 185.192.70.25 OR 185.192.70.36 OR 185.192.70.49 OR 185.192.70.39 OR 185.192.70.57 OR 185.192.70.50 OR 185.192.70.46 OR 185.192.70.31 OR 64.95.13.8)

 


 

SAP Fixes Maximum-severity Flaw in SQL Anywhere Monitor

Among the multiple vulnerabilities addressed in the November security updates for SAP is a maximum-severity flaw in the non-GUI variant of the SQL Anywhere Monitor and critical code injection flaw in their Solution Manager platform. The max-severity flaw in SQL Anywhere Monitor is tracked as CVE-2025-42890 and is the result of hardcoded credentials, allowing attackers to potentially access administrative functions and execute arbitrary code on the system. The code injection flaw in Solution Manager is tracked as CVE-2025-42887 and allows for an "authenticated attacker to insert malicious code when calling a remote-enabled function module."


 

QNAP Fixes Multiple 0-days

QNAP has addressed seven 0-days across a range of their products that were discovered in the Pwn2Own Ireland 2025 competition. The new vulnerabilities impact QNAP QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, and CVE-2025-62849), Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840 and CVE-2025-62842). Per the vendor, administrators are urged to patch to the latest versions as soon as possible and rotate passwords:

  • Hyper Data Protector 2.2.4.1 and later
  • Malware Remover 6.6.8.20251023 and later
  • HBS 3 Hybrid Backup Sync 26.2.0.938 and later
  • QTS 5.2.7.3297 build 20251024 and later
  • QuTS hero h5.2.7.3297 build 20251024 and later
  • QuTS hero h5.3.1.3292 build 20251024 and later

 

 

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

  • CVE-2025-64446 - Fortinet FortiWeb Path Traversal Vulnerability
  • CVE-2025-9242 - WatchGuard Firebox Out-of-Bounds Write Vulnerability
  • CVE-2025-62215 - Microsoft Windows Race Condition Vulnerability
  • CVE-2025-12480 - Gladinet Triofox Improper Access Control Vulnerability
  • CVE-2025-21042 - Samsung Mobile Devices Out-of-Bounds Write Vulnerability
  • CVE-2025-11371 - Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
  • CVE-2025-48703 - CWP Control Web Panel OS Command Injection Vulnerability

 

 

 

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

 

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.
Table of Contents