In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Cloudflare used to obscure Aqua Blizzard C2
Attacking e-commerce by exploiting Google domains
Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways Security Update
CISA KEV updates
Cloudflare used to obscure Aqua Blizzard C2
Microsoft Threat Intelligence has identified the Russian state-sponsored threat actor Aqua Blizzard as leveraging the free Cloudflare Tunnel service to obscure its command-and-control (C2) infrastructure. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB). Aqua Blizzard is primarily known for targeting a wide range of organizations, including government entities, military organizations, non-governmental organizations (NGOs), judiciary bodies, law enforcement agencies, and non-profits. The group’s activities focus heavily on espionage and the exfiltration of sensitive information.
Aqua Blizzard employs an evolving array of advanced tactics, techniques, and procedures, demonstrating a high level of adaptability and sophistication. Their primary attack vector involves spear-phishing emails containing malicious attachments. These attachments deploy an initial payload, which downloads and executes further stages of malware. The group utilizes a variety of custom tools to achieve its objectives, including heavily obfuscated VBScripts, PowerShell commands, self-extracting archives, and Windows shortcut (LNK) files, often combining these methods to enhance their effectiveness. This versatile and advanced toolkit highlights the persistent threat Aqua Blizzard poses to its targets and underscores the need for vigilant defensive measures.
A few of the IoCs associated with recent activity from this threat actor are listed below:
Source: Microsoft Defender Threat Intelligence
Attacking e-commerce by exploiting Google domains
A recently exposed attack chain targeting e-commerce payment systems has brought attention to the delicate balance between responsible vulnerability disclosure and public safety. Initially identified by Source Defense’s research team and reported to Google in November, this critical flaw has now been disclosed by a separate vendor, potentially giving attackers access to a dangerous new technique. The attack leverages trusted Google domains in a highly sophisticated manner, enabling the execution of malicious code while remaining effectively hidden.
The campaign begins with the insertion of malicious JavaScript into websites, achieved through direct compromise or exploitation of third-party services. Once deployed, the script redirects to a Google domain, exploiting a vulnerability that integrates the malicious JavaScript into Google’s response. This tactic makes the activity appear as though it originates from a trusted Google service, significantly complicating detection and defense efforts. When executed, the malicious code can redirect users to phishing pages, such as fraudulent payment portals, to steal sensitive information.
Active exploitation of this technique has been observed across multiple industries, with attackers demonstrating remarkable agility in using compromised legitimate domains to host advanced injection campaigns. This incident underscores the need for enhanced vigilance, proactive monitoring, and immediate action to mitigate this emerging threat in the e-commerce and broader online ecosystem.
To help monitor for exploitation of this attack, Source Defense recommends monitoring for unauthorized requests to these Google service endpoints:
hxxps://accounts.google.com/o/oauth2/revoke?callback=eval( hxxps://accounts.google.com/o/oauth2/eval(
hxxps://translate.googleapis.com/%24discovery/eval(
Please follow the linked source article for a more in-depth look at the attack chain and recommendations provided by Source Defense.
Source: Source Defense
Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways Security Update
An important security update has been released to address newly identified vulnerabilities affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. These vulnerabilities have been assigned CVE-2025-0282 and CVE-2025-0283. Patches for these issues are now available for download through Ivanti's standard portal.
At the time of disclosure, a limited number of Ivanti Connect Secure appliances were confirmed to have been exploited via CVE-2025-0282. However, there is no evidence to suggest that these vulnerabilities have been exploited in Ivanti Policy Secure or Neurons for ZTA gateways at this time.
According to Ivanti, "Exploitation of CVE-2025-0282 can be identified by the Integrity Checker Tool (ICT). We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure."
Here are the affected versions:
Available patches can be found at: https://portal.ivanti.com/. Please check the source article for mitigations if a patch is not available for your product.
Source: Ivanti
CISA KEV updates
CISA has added 4 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact