Weekly Threat Briefing: Jan 6, 2025 - Jan 10, 2025
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
New Banshee Stealer Version
Bottom Line:?Security researchers have identified a new version of the macOS information stealer malware Banshee Stealer. macOS devices have the reputation of being secure, but as the market share of macOS devices has increased, so has the number of malware families that target the system.
Researchers from Check Point have identified a new versions of Banshee Stealer, a known macOS specific malware. Banshee Stealer was first identified in mid-2024, when it was offered for sale via the Malware-as-a-Service (MaaS) model. Threat actors could purchase access to Banshee Stealer for $3,000. The MaaS offering was shutdown in November 2024, following the leak of the malware’s source code. Despite Banshee Stealer no longer being for sale, it is still being used in real-world attacks.
The new version of Banshee Stealer was created in September of 2024, and went fully undetected until November. There are two notable updates: first, is the adoption of “a string encryption algorithm from Apple’s own XProtect antivirus engine”. String encryption replaced the plain test strings from the previous version, and this change is credited with the malware going undetected for roughly two months. Detections of the new version of Banshee Stealer only emerged following the source code leak for the previous version. The second notable update was the removal of the Russian language check. Previously this check would have prevented the malware from executing on devices with Russian language settings; with this check removed, threat actors are able to target Russian device users.
In recently observed campaigns, Banshee Stealer has been distributed through both malicious GitHub repos, as well as the impersonation of downloads for popular software including Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. In at least one recent campaign, users attempting to download Telegram from non-reputable sources, received malware instead; macOS users were delivered Banshee Stealer, while Windows users received Lumma Stealer.
In response to the release of this information, the eSentire Threat Response Unit is performing indicators based threat hunts and has added known malicious IP addresses to the eSentire Global Block List.
CVE-2025-0282: Ivanti Connect Secure Zero-Day Exploited
Bottom Line: The exploitation of CVE-2025-0282 and the subsequent post-exploitation activities highlight the advanced capabilities of threat actors involved in the attack. The involvement of a China-nexus threat group underscores severity of the threat. Organizations are strongly encouraged to apply the recommended actions shared by Ivanti.
On January 8th, Ivanti disclosed a zero-day critical vulnerability affecting Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282 (CVSS: 9.0) is a stack-based buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code. As per the advisory, CVE-2025- 0282 has been exploited in the wild, affecting a limited number of Connect Secure devices. Ivanti Policy Secure and Neurons for ZTA are not known to have been exploited in the wild at time of disclosure.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog. In a separate report published by Google, the organization identified the zero-day exploitation of CVE-2025-0282 occurring in the wild since mid-December 2024. This exploitation has led to the deployment of malware, system compromise, and potential intrusions into networks.
The primary threat group responsible for these attacks is believed to be UNC5337, a China-nexus threat group. Mandiant suspects that UNC5337 is part of a larger group, UNC5221, which had previously exploited Ivanti Connect Secure zero-days.
The attackers have deployed multiple malware families in their campaigns, including the SPAWN ecosystem, which consists of SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. Additionally, DRYHOOK and PHASEJAM have been identified as newer malware families used in these attacks. The attackers performed reconnaissance by detecting the version of the vulnerable VPN appliance using the Host Checker Launcher and by sending a series of sequential requests.
领英推荐
The exploitation process involved disabling SELinux and syslog forwarding, allowing attackers to deploy web shells and malicious binaries on the compromised systems. In some cases, the attackers also removed logs to cause difficulty in forensic investigations.
Following successful exploitation, the attackers deployed PHASEJAM malware, which modified critical ICS components to block upgrades and insert backdoors into the system. The SPAWNANT malware utilized its supporting components from the SPAWN family to ensure persistence across software upgrades, allowing the attackers to maintain their foothold on the compromised systems.
Attackers also carried out lateral movement within networks, using LDAP queries and gathering information about Active Directory (AD) to expand their access. Data exfiltration activities were observed, with attackers stealing cached database credentials, API keys, and session data, which could be used for further attacks or data breaches. The DryHook malware has been used by the attackers in the post-exploitation phase of the attack to steal credentials.
In response to confirmation of real-world exploitation of CVE-2025-0282, eSentire released an advisory on the topic on January 9th , 2025. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices. eSentire’s Tactical Threat Response (TTR) team is crafting new detections to identify exploitation attempts. Additionally, eSentire Threat Response Unit is actively tracking this topic for additional details and detection opportunities.
Gravy Analytics Breach
Bottom Line:?If confirmed as accurate, this breach would be the largest compromise of location related data from a cyberattack to date. There is the potential that this data may be de-anonymized by combining it with Open-Source Intelligence (OSINT) and past breaches.
On January 4th, via Darkweb forums, threat actors claimed to have breached the U.S. based company Gravy Analytics and stolen large amounts of data. Gravy Analytics is a data location broker known for purchasing location data from a variety of companies and selling smartphone location information through its subsidiary Venntel. The company boasts of high-profile customers including the Department of Homeland Security (DHS), the FBI, and the IRS.
Details relating to this incident are currently minimal, as Gravy Analytics has not released any statements; the company’s website remains unreachable at the time of writing. According to the threat actor post, the group was able to gain root access to company servers, take control of domains, and exfiltrate data from Amazon S3 storage buckets.
The threat actors claim to have stolen 17TB of data including customer lists, internal intelligence, GPS coordinates/timestamps, movement classifications, and information on government contractors. Samples of stolen data have been released in an attempt to prove the validity of breach claims.
Threat actors had given Gravy Analytics one day to respond to an extortion demand, before data is either leaked publicly or sold online. While this deadline has now passed, it remains unclear as to whether Gravy Analytics has engaged with the threat actors, or if stolen data is for sale.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.