Operational CTI: Creating a Proof of Concept
Creating proof of concepts (PoC) isn’t always straightforward — it requires a deep understanding of both the target system and the underlying vulnerability. In this session, we’ll walk through how Immersive's Cyber Threat Intelligence (CTI) team move from identifying a vulnerability to developing a working PoC used in offensive lab environments. Join us to explore the tools, thought process, and technical steps that turn raw intelligence into actionable outcomes for detection, validation, and defence.` This is a live session and there will be opportunities to ask questions to Immersive CTI experts.Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar 'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit the event page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questions here. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questions here so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.Operational CTI: Lessons from the Attacks That Didn’t Target You
Watch the recording from this event here ⬇️ Many organizations overlook vulnerabilities and attack campaigns that don’t directly impact them. While this makes sense for risk prioritization, studying these threats can reveal valuable insights that improve your defensive posture and technical skills. In this webinar, we’ll take you through a technical analysis of a recent malicious campaign and explore how analyzing adversary techniques — even those that haven’t targeted your organization — can uncover hidden gaps in your security strategy and enhance your ability to detect and mitigate future threats. Key Takeaways Threat Awareness Beyond Your Scope – Understanding attack campaigns that don’t directly affect your organization can still provide critical insights into evolving threat landscapes. Improving Defensive Posture – Learning from other attacks helps identify weaknesses in your own security strategy before they become exploited. Expanding Technical Knowledge – Deep-diving into attack techniques and vulnerabilities sharpens your ability to detect and mitigate sophisticated threats. Proactive Security Mindset – Adopting a proactive rather than reactive approach can help organizations stay ahead of adversaries, even if they’re not immediate targets. Applying Lessons Practically – Insights from external threats can shape better incident response plans, detection rules, and security skills.Labs Live
This event has now ended. You can watch the recording here. Ever felt totally stuck with a lab? Getting frustrated? Maybe you could have used the helpful guidance of an expert? Introducing Labs Live, a groundbreaking community webinar series from Immersive! For the first time, we're bringing you live, interactive lab sessions led by seasoned professionals. In each Labs Live webinar, you'll collaborate directly with an expert as they navigate a challenging lab. They'll share their techniques, answer your questions, and together, you might even discover new insights. This isn't just a demonstration; it's a hands-on learning experience.Don't miss out on this unique opportunity to elevate your cyber skills. Our very first Labs Live session will be hosted by KevBreen Senior Director of Cyber Threat Research, as he tackles the latest Cyber Threat Intelligence Lab. Join him on April 25th to solve it together!New CTI Lab: CVE-2025-32463 (Sudo Chroot Elevation of Privilege): Offensive
On June 30, 2025, the Stratascale Cyber Research Unit (CRU) team identified a critical local privilege escalation vulnerability in sudo, tracked as CVE-2025-32463. This vulnerability, related to sudo's chroot option, can allow an attacker to escalate privileges to root on an affected system. Why should our customers care? This critical vulnerability is reasonably trivial to exploit, and should an attacker gain user-level access to a vulnerable machine, they'll be able to elevate their privileges and have full control over the machine. It has come to our attention that not many people are aware that sudo has versioning. It is a binary that is constantly iterated upon, which naturally may introduce new vulnerabilities. If administrators and security analysts are not aware of how these vulnerabilities work, this can lead to significant risks and impacts. Who is it for? Red Teamers Penetration Testers System Administrators Here is a link to the lab: https://iml.immersivelabs.online/labs/cve-2025-32463-sudo-chroot-elevation-of-privilege-offensiveDecoding the May Retail Cyber Onslaught
Join us for a pre-recorded fireside chat between Immersive's VP Cyber MaxVetter and Director, Cyber Threat Research KevBreen, as we delve into the recent sophisticated cyberattacks that shook major UK brands like Marks & Spencer, Co-Op, and Harrods as events are still unfolding. This session will expose the inner workings of ransomware cartels like DragonForce, which operates a "Ransomware-as-a-Service" model, and their affiliates, such as the English-speaking Scattered Spider group, notorious for their highly effective social engineering tactics. We explore how these criminals exploit human vulnerabilities to bypass robust security, gain network access, exfiltrate data, and deploy ransomware, leading to significant financial losses and reputational damage. Discover the evolving threat landscape, the impact on businesses, and crucial lessons for building robust technical defenses coupled with continuous employee training and incident response plans. While this is a pre-recorded event from our Bristol community meetup, events and impacts are still unfolding, so post your question for MaxVetter and KevBreen to answer in the comments of this event! ⬇️New CTI/OT Lab: Norwegian Dam Compromise: Campaign Analysis
We have received reports of a cyber incident that occurred at the Lake Risevatnet Dam, near Svelgen, Norway, in April 2025. A threat actor gained unauthorized access to a web-accessible Human-Machine Interface (HMI) and fully opened a water valve at the facility. This resulted in an excess discharge of 497 liters per second above the mandated minimum water flow. Which persisted for four hours before detection. This attack highlights a dangerous reality: critical OT systems are increasingly exposed to the internet, making them accessible to threat actors. In this case, control over a dam’s valve system was obtained via an insecure web interface, a scenario that could have had even more severe consequences. A recent report by Censys identified over 400 exposed web-based interfaces across U.S. water utilities alone. This dam incident in Norway exemplifies the tangible risks posed by such exposures. In this lab, you will be taken through the attack from an offensive viewpoint, including cracking an HMI and fully opening two valves. Why should our customers care? OT environments, including dams, energy grids, and oil pipelines, are foundational to national security and daily life. These systems cannot be secured using traditional IT playbooks. As OT becomes more connected, tailored security strategies are critical to prevent unauthorized access and catastrophic failures. Who is it for? Incident responders SOC analyst Threat Hunters Red Teamer Penetration Testers OT Engineers Here is the link to the lab: https://immersivelabs.online/v2/labs/norwegian-dam-compromise-campaign-analysisNew CTI Lab: CVE-2025-33073 (SMB Elevation of Privilege): Defensive
Another vulnerability patched was released during Microsoft's June 2025 patch Tuesday review! An important elevation of privilege vulnerability was listed, and if exploited successfully, attackers can achieve elevation of privilege on the compromised machine. Even though it's not recorded to have been exploited in the wild as yet, the fact that research exists with details on how the vulnerability was found improves the chances an attacker will attempt to exploit this flaw against a victim.In these labs, you will be taken through the vulnerability from both an offensive and defensive perspective. Why should our customers care? This is a new vulnerability that has just been patched, and is has in depth research released about it. Successful exploitation of this vulnerability allows attackers to elevate their privileges and achieve command execution on a victim machine. Learn what sort of indicators this exploit leaves, but also learn how to execute and take advantage of this vulnerability! Who is it for? Incident responders SOC analyst Threat Hunters Red Teamer Penetration Testers Here is the link to the labs: Defensive: https://immersivelabs.com/v2/labs/cve-2025-33073-smb-elevation-of-privilege-defensive Offensive: https://immersivelabs.com/v2/labs/cve-2025-33073-smb-elevation-of-privilege-offensive Container 7 Release We have released a threat detection for this particular vulnerability, helping the community to protect against any potential use of this vulnerability. https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33073-smb-exploit.ymlNew CTI Lab: Stealth Falcon (CVE-2025-33053) – WebDAV Server Remote Code Execution
Yesterday, in Microsoft's Patch Tuesday, there was a zero-day vulnerability that was patched and has been exploited in the wild! This zero-day was used by the cyber-espionage group Stealth Falcon and was reported on by Checkpoint. After successful phishing attempts, the user will execute a .url file that exploits a vulnerability to communicate with a WebDAV server owned by attackers, which holds a particular binary. The vulnerability is present because Windows will look for binaries through the WebDAV link before searching for the legitimate one on its own PC. Therefore, the attackers can achieve remote code execution. We are releasing a lab on hunting for the execution of this vulnerability to help teams create effective threat detections. Why should our customers care? This is a new vulnerability that has just been patched and has already been successfully used as part of threat groups' attack chains. Therefore, it is recommended to see what sort of indicators of compromise this type of vulnerability leaves once exploited. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the lab: https://immersivelabs.online/labs/stealth-falcon-cve-2025-33053-webdav-server-exploitation As part of the Container 7 team, we have also released threat detections that cover both binaries that were used in the campaigns that exploited CVE-2025-33053. You can find these here: https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33053-iediagcmd-exploit.yml https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33053-CustomShellHost-exploit.ymlUrgent Security Alert: Critical Flaw in CrushFTP Puts Your Data at Risk (CVE-2025-31161)
What is CVE-2025-31161? CrushFTP is widely used by businesses to transfer files securely. CVE-2025-31161 is a critical flaw that impacts CrushFTP versions 10 (up to 10.8.3) and 11 (up to 11.3.0). The flaw is a type of authentication bypass, meaning attackers can skip the login process altogether. It’s easy for attackers to exploit remotely, requires no special access or user interaction, and can lead to the complete loss of data privacy, integrity, and system availability. It has a severity rating of 9.8 (“Critical”) in the Common Vulnerability Scoring System (CVSS). Initial confusion caused this vulnerability to be briefly identified as CVE-2025-2825, but the official and correct designation is CVE-2025-31161. How does this attack work? The problem lies in how CrushFTP handles certain security checks for incoming web requests. Essentially, there’s a small window during the login process where an attacker can trick the system. Here’s a quick explanation of how it works. A flaw in the security check CrushFTP has a specific part of its code that checks for secure login information. However, there’s a subtle error where an internal setting is accidentally set to “true” by default. Bypassing the password If the username in the attacker’s fake login information doesn’t contain a specific character (the tilde ‘~’), this “true” setting tells the system to skip the password check entirely. This means an attacker can log in as a legitimate user without knowing their password. Crafting a malicious request Attackers send a custom web request to the CrushFTP server, which includes fake security information and a specific cookie. By combining these elements, the attacker can trigger the vulnerability and gain unauthorized administrative access. Is your software vulnerable? Your CrushFTP version Is it vulnerable? Action required 10.0.0 through 10.8.3 YES Update immediately 11.0.0 through 11.3.0 YES Update immediately 10.8.4 or higher NO (it’s patched!) Verify your version 11.3.1 or higher NO (it’s patched!) Verify your version Evidence of active exploitation Active exploitation was reported shortly after the patches were released, with security firms observing widespread attacks as early as March 30-31, 2025. Initially, over 1,500 vulnerable CrushFTP instances were exposed online, with significant numbers in the United States. In the following weeks, hundreds of organizations remained unpatched. Upon successful entry, attackers often establish persistent access. This is done by creating new administrator accounts or deploying Remote Monitoring and Management (RMM) tools, such as MeshAgent or MeshCentral, and AnyDesk. Attackers also deploy Telegram bot binaries to steal system information and sensitive data. The “Kill Security” (or “Kill”) ransomware group has publicly claimed responsibility for some early exploitation efforts, announcing that they’ve obtained “significant volumes of sensitive data” and intend to extort victims. It highlights a trend where Managed File Transfer (MFT) solutions are increasingly targeted by ransomware and data extortion groups for their high-value data. The impact of a successful attack A successful exploit grants attackers unauthenticated administrative access, which has severe consequences: Full system compromise: Attackers can gain complete control over the CrushFTP application and the server it runs on. Data exfiltration: They can access and steal any sensitive data stored on the platform or accessible through it. Data integrity and ransomware: Attackers can modify, delete, or encrypt files, potentially deploying ransomware to disrupt operations and demand payments. Legal and regulatory implications: Organizations may face significant fines, reputational damage, and legal liabilities if personal data is compromised, with strict notification deadlines (e.g. 72 hours under GDPR). How to protect your organization The attack’s multi-layered approach combines technical exploitation with advanced social engineering to bypass security controls and user vigilance. It’s essential to take the following steps to protect your organization. Apply updates immediately UPDATE NOW: Immediately update all CrushFTP installations to version 10.8.4 or later or 11.3.1 or later. Only obtain updates from the official CrushFTP website. Deploy patches: CrushFTP doesn’t have automatic updates, so enterprises need to apply proactive, centralized patching. Verify updates: Ensure updates are successfully applied across your environment. Be proactive with security measures and hardening Enforce strong passwords: Mandate strong, unique passwords for all CrushFTP accounts, especially administrators. Monitor logs comprehensively: Actively monitor CrushFTP server logs (especially \logs\session_logs) for suspicious activity, like new accounts, unusual access, or RMM tool deployments. Layer your security: Employ strong email and web filtering, advanced endpoint detection and response (EDR), and network segmentation. Restrict network access: Limit CrushFTP access to only trusted clients and IP ranges. Assess and remediate compromise Applying the patch alone will not remove any existing access gained by attackers who exploited the vulnerability before the software update. Given active exploitation has been confirmed, you should assume potential prior compromise and take the following steps: Assess for unauthorized access: If you were running a vulnerable version, conduct a thorough assessment immediately for signs of compromise going back to at least March 30, 2025. Conduct forensic analysis: Examine server logs for new user accounts, modified user properties, or deployed RMM tools and malware. Remediate existing compromises: Remove unauthorized accounts, change all legitimate CrushFTP passwords, and remove any deployed malware. If necessary, restore systems from clean, verified backups. Address legal obligations: If a data breach is confirmed, promptly fulfill data protection (e.g. GDPR) and industry-specific regulatory obligations, including potential notifications. This vulnerability highlights the need to continuously monitor systems, stay informed about threats, and adopt a layered security approach to protect critical infrastructure. Conclusion The critical CrushFTP vulnerability puts a spotlight on the fast-paced world of cyber threats. In addition to patching and implementing security processes, it’s vital to run organizational exercises. Regularly practicing incident response through drills and simulations helps your team reinforce existing policies and processes. This preparation allows them to respond effectively when similar vulnerabilities emerge, reducing potential harm and protecting sensitive data. Share your thoughts Has your business been affected by the CVE-2025-31161 flaw or something similar? How do you stay up to date with the latest cyber threats and keep your team alert to risks? Let us know in the comments below.
