Cozy Bear? Not So Cozy…
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior you’d expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government, healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive CVE-2020-5902 (F5 BIG-IP) – Defensive CVE-2020-5902 (F5 BIG-IP) – Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰 Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!Balance Your Business with the Buzz
The question begs for a prioritisation exercise. You need to create a dynamic program structure to address security priorities and the highest-volume threats, while keeping your finger on the pulse. Let’s dig into how you can balance your priorities Balance role-based learning and skills growth with day-to-day job responsibilities. These learning plans often look like a longer-term goal with continuous growth and skills progression. Some of our favourite Immersive Labs Career Paths (courtesy of the man, the myth, the legend ZacharyAbrams, our Senior Cyber Resilience Advisor are: Network Threat Detection Introduction to Digital Forensics Incident Response and Digital Forensics You can also create your own Career Paths! Buzz your team’s interest and pique security knowledge around the top routinely exploited vulnerabilities and priority threats. Latest CVEs and threats This collection should be a holy grail for referencing and assigning labs on the latest and most significant vulnerabilities, ensuring you can keep yourself and your organisation safe. Incorporate trending and priority threats like #StopRansomware with the below collections: Ransomware In this collection, you’ll learn about the different strains of ransomware and how they operate. Malicious Document Analysis Phishing and malicious documents are major malware attack vectors. Learn to analyse various file types and detect hidden malware. Balance out the flurry of CVEs and news trends with timely and relevant industry content: Financial services customers often prioritise Risk, Compliance, and Data Privacy Collections, or our entire Management, Risk, and Compliance path. We also have a great “Immersive Bank” Mini-Series for a simulated red team engagement against a fictitious financial enterprise. The series walks through the various stages of a simulated targeted attack, starting with information gathering and gaining access, before moving to pivoting and account abuse. Automotive customers might be interested in our CANBus collection to learn more about the CANBus technology in modern cars, and the security threats it faces. We’ve also seen interest in our IoT and Embedded Devices collection and OT/ICS For Incident Responders path! Telecommunications customers may be particularly interested in a more timely lab, such as threat actor Volt Typhoon, which recently made headlines with an attack on ISPs. Due to the group's focus on ISPs, telecom, and US infrastructure, we recommend reviewing its TTPs and mapping them against labs in the Immersive Labs MITRE ATT&CK Dashboard. Other threats may be of higher priority for your sector – reach out to your CSM or Ask a Question in the community to learn suggestions from your peers! Buzz about the latest and most active threat actors and malware because, let's bee real, everyone wants to keep their finger on the pulse of the latest security happenings. Finance, healthcare, defence, government, and national political organisations are on high alert around Iranian-Backed Cyber Activity. The following content on common attack vectors from these groups is valuable to organisations today: IRGC and relevant malware labs: APT35 Peach Sandstorm Tickler Malware Citrix Netscaler CVEs: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive F5 BIG-IP CVEs: CVE-2022-1388 (F5 BIG-IP) – Defensive CVE-2022-1388 (F5 BIG-IP) – Offensive What would this all look like as part of my program? I like to think of it as a waterfall method, but make sure you consider the overall learning requirement relative to your team’s workloads. Annual: Role-based career paths with a longer duration (doesn’t have to be annual – you can set more frequent targets if that’s better for your team) for completion to meet individual growth and organisation training goals. Quarterly to bi-monthly: ‘Timely training’ with IL Collections or Custom Collections. This might include a mix of “Balance” around industry-relevant content, upskilling to bridge skills gaps, or “Buzzy” content addressing incident retrospective findings that require skills triage, or an industry trend like the rise in Ransomware or Threat Actor risks for your sector, as you reprioritize your internal threat landscape through the year. AdHoc: ‘Threat Sprint’ assignments with new CVE and threat actor labs as a small custom collection with 7-10 day turnarounds per 2-3 hours of content to address quick priority topics. Make sure to get feedback from your teams on capacity. But, don’t bee afraid to iterate as you upskill your teams, stay stinger-sharp against adversaries, and hive a great time delivering on the business outcomes your organisation is looking for. Share your thoughts Have you mastered balancing business with the buzz? Comment below with your successes, failures, and ideas for effective balanced cybersecurity upskilling programs! Stay safe out there in the field, and keep an eye out (or five) for new articles based on recent events in the cybersecurity space. Get updated in your inbox on posts like this by "following" The Human Connection Blog!New CTI Labs: Threat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis & Threat Actors: Salt Typhoon
Salt Typhoon has been a threat actor that has caused a lot of worry for defensive teams all over the world. They are a threat actor group which has been predominately targeting Telecommunication companies. They have been in the media a lot over the past few months for their hacks on telecommunication companies in the US.Immersive were finally able to get access to some of the malware samples, as more get released we shall cover more of the campaigns. Threat Actors: Salt Typhoon This lab takes the user through who Salt Typhoon are, what their techniques, tactics, and procedures are, and who they target. Discussing their previous campaigns in depth and why they are so feared as a group. Salt Typhoon: SNAPPYBEE Campaign Analysis Many of our customers want to learn how salt typhoons operate. This lab shows people how to start hunting for them inside a network, taking our users through the different stages, techniques, and tactics they use and how to identify them for detection. Why should our customers care? Salt Typhoon are a big threat to telecommunication companies around the world. Their main focus is to be in a network and perform cyber espionage without being detected. They largely operate inside networks without being detected for a long time, sometimes even months to a year. Our customers need to proactively understand what this threat is and how to start monitoring for them in their network. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the threat actor lab: https://immersivelabs.online/labs/threat-actors-salt-typhoon Here is the link to the campaign analysis lab: https://immersivelabs.online/v2/labs/salt-typhoon-campaign-analysisNew CTI Labs: Palo Alto Expedition Critical Vulnerabilities
CVE-2024-5910 (Palo Alto Expedition) - Defensive Identify signs of exploitation in event logs and extract indicators of compromise CVE-2024-5910 (Palo Alto Expedition) - Offensive Use publicly available Proof of Concept code to exploit the vulnerabilities gaining access to sensitive data What is Expedition and Why should you care? The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors. This application can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts significantly impacting the security of an organisations network. These labs provide steps to identify any potential signs of exploitation and detail how the exploit functions. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Red Teams Pen testers Offensive Security professionals Complete CVE-2024-5910 (Palo Alto Expedition) - Defensive here Complete CVE-2024-5910 (Palo Alto Expedition) - Offensive herePatch Tuesday October 2024
CVE-2024-43572 - 7.8 - Microsoft Management Console Remote Code Execution Vulnerability Top of the list for patching should be a vulnerability in the Microsoft Management Console. While the CVSS score is not the highest in the patch notes, it is being actively exploited in the wild by threat actors and warrants immediate attention. While the notes say “Remote code execution” this vulnerability requires user interaction and some degree of social engineering. To exploit this vulnerability an attacker must craft a malicious .msc file that, if opened, will run arbitrary code or commands that allow a threat actor to compromise the host. This file would typically be sent via email as an attachment or as a link to a download. After patching, security teams and threat hunters should proactively check historical logs for indicators of these files being sent and received. Organizations not able to deploy patches quickly across their organization should add additional monitoring and blocking rules targeting these file extensions. The fix deployed by Microsoft prevents untrusted msc files from being executed. CVE-2024-43609 - 6.5 - Microsoft Office Spoofing Vulnerability While not actively exploited in the wild, CVE-2024-43609 should be one to pay closer attention to as Micorosft has listed this one as “Exploitation More Likely”. This vulnerability affects Microsoft office and allows an attacker to gain access to the NTLM credentials of any user interacting with the documents. If an attacker is able to read the NTLM hash, they can use this in a common attack known as “Pass the Hash,” where the attacker could authenticate as the user without knowing their password, which is where the “spoofing” part of the vulnerability description comes from. This type of attack is frequently exploited by threat actors in the wild, leading to remote exploitation. Organizations should follow Microsoft Guidance on blocking outbound SMB ports and configuring Network security policies related to NTLM traffic. CVE-2024-43573 - 6.5 - Windows MSHTML Platform Spoofing Vulnerability This vulnerability has been discovered within the MSHTML platform used by certain Microsoft applications, including Internet Explorer mode in Microsoft Edge. The vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate due to the way the platform handles certain web elements. Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services. Importantly, this attack requires no special permissions or knowledge of the user’s system, making it relatively easy for cybercriminals to execute. Rated at 6.5 out of 10 in severity, the vulnerability has already been exploited by attackers, making it a serious concern for large organisations that still rely on legacy web applications within their environment. For example, many larger and more mature organizations may still use Internet Explorer due to the need for compatibility with certain internal applications. Despite Internet Explorer being retired on many platforms, its underlying MSHTML technology remains active and vulnerable. This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online. To address this issue, Microsoft includes fixes for the MSHTML platform in its Internet Explorer Cumulative Updates. It’s crucial for businesses, especially those with legacy systems, to ensure they apply these updates regularly to remain protected from potential attacks. CVE-2024-43582 - 8.1 - Remote Desktop Protocol Server Remote Code Execution Vulnerability This use-after-free vulnerability in the Remote Desktop Protocol (RDP) service affecting Windows Server and Client from versions 2019 and 10 (1809) onwards which can lead to Remote Code execution, has been patched by Microsoft. Little information is known about the vulnerability, except that it can be exploited by an unauthenticated attacker sending a malformed packet to a RPC host. This could lead to execution with the same permissions as the RPC service. It is assessed that if this description refers to the RPCSS service that whilst the service runs with the permissions of NETWORK SERVICE, privilege to SYSTEM after the fact would be trivial due to permissions afforded to that account and the use of ‘potato’ exploits. It should be assumed that any successful exploitation of this vulnerability will lead to complete compromise of the targeted system and in environments where RDP is heavily used to system management, or where Remote Desktop Gateway (RDG) is used (RDG does allow RPC interaction via HTTP/S) to give users access to secure environments, patching should be considered a priority. Vulnerabilities in RDP are quite rare in nature and Microsoft believes that exploitation is difficult and less likely, but now that details of an issue have been released and experts begin the process of reversing the newly released patches, however it may only be a matter of time before in the wild exploitation is seen. An exploit of this nature will be highly prized by Ransomware Groups, because it allows an attacker total compromise of a system without knowledge of any credentials and, could help them reach high value targets, such as Domain Controllers. It can be used to launch the destructive phase of an attack across the entire domain. CVE-2024-43583 - 6.8 - Winlogon Elevation of Privilege Vulnerability This vulnerability has been identified in the Winlogon process. Winlogon is responsible for handling secure user logins in Windows. This vulnerability, rated 6.8 out of 10 in severity, allows an attacker with local access to a machine to elevate their privileges to SYSTEM level, which is the highest level of access in Windows. This could enable the attacker to take full control of the affected system, manipulate settings, access sensitive data, or install malicious software. Although it is quite uncertain due to the lack of information provided by Microsoft, the local nature of this vulnerability means that the attacker needs physical access to the machine or to be already logged in, making it similar to kiosk breakout scenarios where restricted environments can be bypassed. This makes it a concern for public kiosks, shared computers, or any device that restricts user access but could still be exploited by someone with local access. To protect against this vulnerability, it’s important to ensure that a Microsoft first-party Input Method Editor (IME) is enabled on your device. IMEs are used to input complex characters during the sign-in process, and third-party IMEs could be vulnerable to attack. This is particularly relevant when installing language packs for your keyboard, as some third-party IMEs can be exploited during login. By using a Microsoft IME, one can minimize the risk of this vulnerability being exploited during the sign-in process.Understanding CTI and What it Means at Immersive Labs
The essence of cyber threat intelligence CTI involves understanding the who, what, why, and how of cyber threats. It's about transforming data into actionable intelligence, helping organizations anticipate threats, prepare defenses, and respond effectively. Imagine knowing not just that there’s a storm coming but precisely where it’ll hit, how strong it’ll be, and what precautions you need to take – that’s the power of CTI in cybersecurity. How cyber threat intelligence works Generating CTI is a complex process that begins with gathering data from various sources. These include network logs, threat feeds, social media, dark web forums, and cybersecurity agency reports. This raw data is then processed and analyzed for patterns, trends, and indicators of compromise (IoCs) like malicious IP addresses or hash files. Advanced techniques, including machine learning and behavioral analysis, help sift through the noise, turning raw data into meaningful insights. Turning intelligence into action CTI excels by providing context to security alerts, allowing teams to prioritize their responses based on a comprehensive understanding of the threat landscape. For instance, if CTI identifies a malware strain targeting financial institutions, a bank can proactively strengthen its defenses. This enhances protection and improves incident response efficiency, making containment and remediation faster and more effective. So, what is CTI at Immersive Labs? The Immersive Labs CTI team constantly monitors threats that target our customers’ industries. This includes common vulnerabilities and exposures (CVEs), malware campaigns, and new techniques that are likely to affect our customers’ cybersecurity landscape. Once we’ve identified a threat that our customers should protect themselves against, we respond rapidly to create a lab so our customers can stay ahead of the cyber threat landscape. Our labs provide all the information needed to understand and defend against threats, along with practical knowledge for using or analyzing them. It’s a very exciting part of the platform. Up to the release of this blog post, the team has released over 50 CTI labs on threats this year! What more can you expect from us? We know our customers love our CTI labs. Within this community, you can expect: Microsoft Patch Tuesday briefings: Patch News Day – We’ll release a brief about the Microsoft Patch Tuesday vulnerabilities each month. These briefings will help you to understand what new vulnerabilities mean and how they could impact you. New CTI lab releases – We release CTI labs at cyber speed, and you won’t miss a thing. We’ll announce new CTI labs within this community and give quick links to our platform so you can stay as up-to-date as possible! Cyber threat research and intelligence – We complete our own research and often find vulnerabilities in products. We reverse-engineer new malware and analyze new threats seldom discussed elsewhere in the industry. When we do this, we’ll release research articles here so you can go through the journey too. CTI discussions – While we’ll never give answers to labs or guidance on how to complete labs, we welcome vibrant and collaborative discussions about threats in our community forums. We’d love to hear your thoughts and interact with you! Don’t miss a beat Be sure to “follow” The Human Connection blog to receive notifications about new announcements and articles. Share your thoughts Comment below an introduction of yourself and a bit about a threat that you’ve recently analyzed or read about! As more of you introduce yourselves, it’ll be great to see how quickly threats are forgotten and as an industry we move on to the next! We spend a lot of time disseminating threat data to create threat labs for our customers. That means looking across threat actors and the industries they attack. What places have you found are best to collect threat data? Also, have you completed any of our recent threat labs? If so, which one? Was it a malware or CVE lab?CVE-2025-53770 - Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server
Understanding the RCE On July 22, 2025, Immersive’s threat research team was trying to understand how the SharePoint zero-day vulnerability was uncovered, based on Eye Security’s initial article. There were many proofs of concept (PoCs) and initial articles on indicators of attack (IoAs) and their severity. But none covered the exploit itself or could help us understand how the exploit was weaponized in depth. In this blog, I’ll share our research process and how we (eventually!) got to the bottom of this exploit. The challenges of building a CTI lab Our initial thought process for building this Cyber Threat Intelligence (CTI) lab was fairly straightforward. We’d understand the indicators of compromise (IoCs) and the PoCs that were shared in the article, try replicating it with the PoC, and obtain some logs. However, it was easier said than done. What went wrong? The PoCs just didn't work, and there was no way for us to understand why. This makes sense retrospectively – initial articles only provided surface-level information, rather than details on how the exploit was made. We ended up deploying different variants of SharePoint to see which were vulnerable. Alas, nothing worked (I’ll explain why this happened in more depth later on). Looking at the logs to identify the problem didn’t work either, because who looks at logs, right? Some of the initial PoCs were taken down, and the ones remaining were missing a piece of the puzzle. It was also fairly noticeable that many of the PoCs added to GitHub weren’t true either, and some were ransomware binaries! Dissecting the payload – mistakes and a learning curve Based on the initial brief from the Eye Security article, we figured out that it was a deserialization problem. After many days of unravelling and building multiple SharePoint servers with different versions, the “Hallelujah” moment finally arrived. A new remote code execution (RCE) module for this exploit was committed to Metasploit's GitHub repo. It wasn't the code that mattered much to us, but the comments in it that got us interested: The highlighted comments helped us map out which deserialization gadget chain works against specific SharePoint Server versions. This was important, as the exploit itself abuses insecure deserialization in the ViewState on SharePoint pages like ToolPane.aspx. This is when it hit us: our initial exploit of the RCE using the TypeConfuseDelegate gadget with BinaryFormatter wasn't working because we weren’t targeting the versions that were vulnerable to that gadget chain. To put this to the test, we had the right version built (v16.0.10337.12109) and also decided to further analyze the payload itself from the Metasploit module – I know it's cutting corners, but I was very keen on how it all works together! To achieve this, we downloaded the earliest exploit module commit on its GitHub, added it to our existing Metasploit framework, and intercepted the request using BurpSuite. This gave us the PoC, which we could analyze: Obviously, there was no need to reinvent the wheel since Metasploit already had a functional module, but where’s the fun in that? Dissecting the payload – decoding It’s already noticeable that the payload is URL-encoded. By decoding it, you’ll be able to see the body of the request. It has references to controltemplates/ACLEditor and an Excel DataSet, which is commonly used in .NET deserialization exploits, along with a Base64 encoded and compressed data table: The next step was to extract and Base64 decode the compressed data table: The decoded and decompressed information is the raw XML schema and DiffGram that the DataSetWrapper spits out. The part highlighted in the red box is the embedded first-stage gadget, Base64 encoded as an XSD string. Remember when I mentioned that our PoCs weren't working earlier? It’s because we didn't embed our Base64 encoded payload onto a raw XML schema and DiffGram. If you take the Base64 encoded XSD string and decode it, you’d get the payload. The payload I had on Metasploit was: And by decoding the string obtained from above, we can see it too: Weaponizing our PoC to emulate the IoCs With all the juicy information to hand, it was time to recreate this and see how threat actors in the wild did it. Bear in mind that the IoCs from the research article mentioned they weren’t obtaining any shells from the RCE, but stealthily leaking cryptographic secrets from SharePoint servers, which were chained to craft a fully valid and signed payload using ysoserial. The PoC implemented based on the work from the Metasploit module wraps our initial “inner” ysoserial payload inside an XML and DataSet gadget that SharePoint expects, then serializes, compresses, and Base64 encodes it. The payload that was built closely resembles what’s seen in the wild, which was dropping malicious content to a file named spinstall0.aspx that leaks cryptographic secrets. This Base64 payload was then embedded into an XML and DataSet gadget, using our PoC: All that remained was to send the payload. Here’s what we noticed upon sending the request via Burp: And while looking at the Process Explorer running on our SharePoint test environment: Similar to the IoCs, you’ll note that w3wp.exe spawns cmd.exe, and a PowerShell process is then spawned from the cmd.exe child process. If it’s succeeded, you should be able to navigate to https://X.X.X.X/_layouts/15/spinstall0.aspx to view and read the SharePoint’s MachineKey config file, including the ValidationKey: Finally, from our ELK logs: As you’ll notice, the log shows that the exploit’s PowerShell payload used set-content to write an ASPX backdoor into SharePoint’s _layouts directory (spinstall0.aspx). In summary Looking back at this exploit, it’s interesting from an offensive perspective to see how advanced persistent threat actors are finding creative ways to compromise organization infrastructures. In the meantime, I can only send prayers to the SOC analysts and Sysadmins fixing SharePoint, because let’s be honest – SharePoint is a cave nobody comes out alive from! For more information and finer details on how the exploit works, I'll leave this fantastic article here: Viettel Cyber Security: SharePoint ToolShell – One Request PreAuth RCE ChainNew CTI Labs: CVE-2025-53770 (ToolShell SharePoint RCE): Offensive and Defensive
Recently, a critical zero-day vulnerability affecting on-premise SharePoint servers, identified as CVE-2025-53770, was uncovered. This vulnerability allows for authentication bypass, leading to remote code execution, and has been actively exploited in the wild. Eye Security researchers detected an in-the-wild exploit chain on July 18, 2025, during an incident response engagement. This discovery led to Microsoft assigning two CVEs: CVE-2025-53770 and CVE-2025-53771. The attack notably leveraged a combination of vulnerabilities to achieve its objectives, impacting numerous SharePoint servers globally. There is now a public exploit available for anyone wanting to achieve remote code execution. Why should our customers care? This critical vulnerability has been added to the CISA Kev Catalog. and with no authentication or user interaction, a vulnerable SharePoint server can be fully taken over remotely, letting attackers run arbitrary code as if they were privileged admins. SharePoint is a complex and large system that often holds a lot of sensitive data for organizations and is often a targeted system for attackers. Who is the defensive lab for? System Administrators SOC Analysts Incident Responders Threat Hunters Who is the offensive lab for? Red teamers Penetration Testers Threat Hunters Here are the links to the labs: Offensive: https://immersivelabs.online/v2/labs/cve-2025-53770-toolshell-sharepoint-rce-offensive Defensive: https://immersivelabs.online/v2/labs/cve-2025-53770-toolshell-sharepoint-rce-defensive
Labs Live
This event has now ended. You can watch the recording here. Ever felt totally stuck with a lab? Getting frustrated? Maybe you could have used the helpful guidance of an expert? Introducing Labs Live, a groundbreaking community webinar series from Immersive! For the first time, we're bringing you live, interactive lab sessions led by seasoned professionals. In each Labs Live webinar, you'll collaborate directly with an expert as they navigate a challenging lab. They'll share their techniques, answer your questions, and together, you might even discover new insights. This isn't just a demonstration; it's a hands-on learning experience.Don't miss out on this unique opportunity to elevate your cyber skills. Our very first Labs Live session will be hosted by KevBreen Senior Director of Cyber Threat Research, as he tackles the latest Cyber Threat Intelligence Lab. Join him on April 25th to solve it together!
