New CTI/OT Lab: Norwegian Dam Compromise: Campaign Analysis
We have received reports of a cyber incident that occurred at the Lake Risevatnet Dam, near Svelgen, Norway, in April 2025. A threat actor gained unauthorized access to a web-accessible Human-Machine Interface (HMI) and fully opened a water valve at the facility. This resulted in an excess discharge of 497 liters per second above the mandated minimum water flow. Which persisted for four hours before detection. This attack highlights a dangerous reality: critical OT systems are increasingly exposed to the internet, making them accessible to threat actors. In this case, control over a dam’s valve system was obtained via an insecure web interface, a scenario that could have had even more severe consequences. A recent report by Censys identified over 400 exposed web-based interfaces across U.S. water utilities alone. This dam incident in Norway exemplifies the tangible risks posed by such exposures. In this lab, you will be taken through the attack from an offensive viewpoint, including cracking an HMI and fully opening two valves. Why should our customers care? OT environments, including dams, energy grids, and oil pipelines, are foundational to national security and daily life. These systems cannot be secured using traditional IT playbooks. As OT becomes more connected, tailored security strategies are critical to prevent unauthorized access and catastrophic failures. Who is it for? Incident responders SOC analyst Threat Hunters Red Teamer Penetration Testers OT Engineers Here is the link to the lab: https://immersivelabs.online/v2/labs/norwegian-dam-compromise-campaign-analysisNew CTI Lab: CVE-2025-33073 (SMB Elevation of Privilege): Defensive
Another vulnerability patched was released during Microsoft's June 2025 patch Tuesday review! An important elevation of privilege vulnerability was listed, and if exploited successfully, attackers can achieve elevation of privilege on the compromised machine. Even though it's not recorded to have been exploited in the wild as yet, the fact that research exists with details on how the vulnerability was found improves the chances an attacker will attempt to exploit this flaw against a victim.In these labs, you will be taken through the vulnerability from both an offensive and defensive perspective. Why should our customers care? This is a new vulnerability that has just been patched, and is has in depth research released about it. Successful exploitation of this vulnerability allows attackers to elevate their privileges and achieve command execution on a victim machine. Learn what sort of indicators this exploit leaves, but also learn how to execute and take advantage of this vulnerability! Who is it for? Incident responders SOC analyst Threat Hunters Red Teamer Penetration Testers Here is the link to the labs: Defensive: https://immersivelabs.com/v2/labs/cve-2025-33073-smb-elevation-of-privilege-defensive Offensive: https://immersivelabs.com/v2/labs/cve-2025-33073-smb-elevation-of-privilege-offensive Container 7 Release We have released a threat detection for this particular vulnerability, helping the community to protect against any potential use of this vulnerability. https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33073-smb-exploit.ymlNew CTI Lab: Stealth Falcon (CVE-2025-33053) – WebDAV Server Remote Code Execution
Yesterday, in Microsoft's Patch Tuesday, there was a zero-day vulnerability that was patched and has been exploited in the wild! This zero-day was used by the cyber-espionage group Stealth Falcon and was reported on by Checkpoint. After successful phishing attempts, the user will execute a .url file that exploits a vulnerability to communicate with a WebDAV server owned by attackers, which holds a particular binary. The vulnerability is present because Windows will look for binaries through the WebDAV link before searching for the legitimate one on its own PC. Therefore, the attackers can achieve remote code execution. We are releasing a lab on hunting for the execution of this vulnerability to help teams create effective threat detections. Why should our customers care? This is a new vulnerability that has just been patched and has already been successfully used as part of threat groups' attack chains. Therefore, it is recommended to see what sort of indicators of compromise this type of vulnerability leaves once exploited. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the lab: https://immersivelabs.online/labs/stealth-falcon-cve-2025-33053-webdav-server-exploitation As part of the Container 7 team, we have also released threat detections that cover both binaries that were used in the campaigns that exploited CVE-2025-33053. You can find these here: https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33053-iediagcmd-exploit.yml https://github.com/Immersive-Labs-Sec/SigmaRules/blob/main/cve-2025-33053-CustomShellHost-exploit.ymlUrgent Security Alert: Critical Flaw in CrushFTP Puts Your Data at Risk (CVE-2025-31161)
What is CVE-2025-31161? CrushFTP is widely used by businesses to transfer files securely. CVE-2025-31161 is a critical flaw that impacts CrushFTP versions 10 (up to 10.8.3) and 11 (up to 11.3.0). The flaw is a type of authentication bypass, meaning attackers can skip the login process altogether. It’s easy for attackers to exploit remotely, requires no special access or user interaction, and can lead to the complete loss of data privacy, integrity, and system availability. It has a severity rating of 9.8 (“Critical”) in the Common Vulnerability Scoring System (CVSS). Initial confusion caused this vulnerability to be briefly identified as CVE-2025-2825, but the official and correct designation is CVE-2025-31161. How does this attack work? The problem lies in how CrushFTP handles certain security checks for incoming web requests. Essentially, there’s a small window during the login process where an attacker can trick the system. Here’s a quick explanation of how it works. A flaw in the security check CrushFTP has a specific part of its code that checks for secure login information. However, there’s a subtle error where an internal setting is accidentally set to “true” by default. Bypassing the password If the username in the attacker’s fake login information doesn’t contain a specific character (the tilde ‘~’), this “true” setting tells the system to skip the password check entirely. This means an attacker can log in as a legitimate user without knowing their password. Crafting a malicious request Attackers send a custom web request to the CrushFTP server, which includes fake security information and a specific cookie. By combining these elements, the attacker can trigger the vulnerability and gain unauthorized administrative access. Is your software vulnerable? Your CrushFTP version Is it vulnerable? Action required 10.0.0 through 10.8.3 YES Update immediately 11.0.0 through 11.3.0 YES Update immediately 10.8.4 or higher NO (it’s patched!) Verify your version 11.3.1 or higher NO (it’s patched!) Verify your version Evidence of active exploitation Active exploitation was reported shortly after the patches were released, with security firms observing widespread attacks as early as March 30-31, 2025. Initially, over 1,500 vulnerable CrushFTP instances were exposed online, with significant numbers in the United States. In the following weeks, hundreds of organizations remained unpatched. Upon successful entry, attackers often establish persistent access. This is done by creating new administrator accounts or deploying Remote Monitoring and Management (RMM) tools, such as MeshAgent or MeshCentral, and AnyDesk. Attackers also deploy Telegram bot binaries to steal system information and sensitive data. The “Kill Security” (or “Kill”) ransomware group has publicly claimed responsibility for some early exploitation efforts, announcing that they’ve obtained “significant volumes of sensitive data” and intend to extort victims. It highlights a trend where Managed File Transfer (MFT) solutions are increasingly targeted by ransomware and data extortion groups for their high-value data. The impact of a successful attack A successful exploit grants attackers unauthenticated administrative access, which has severe consequences: Full system compromise: Attackers can gain complete control over the CrushFTP application and the server it runs on. Data exfiltration: They can access and steal any sensitive data stored on the platform or accessible through it. Data integrity and ransomware: Attackers can modify, delete, or encrypt files, potentially deploying ransomware to disrupt operations and demand payments. Legal and regulatory implications: Organizations may face significant fines, reputational damage, and legal liabilities if personal data is compromised, with strict notification deadlines (e.g. 72 hours under GDPR). How to protect your organization The attack’s multi-layered approach combines technical exploitation with advanced social engineering to bypass security controls and user vigilance. It’s essential to take the following steps to protect your organization. Apply updates immediately UPDATE NOW: Immediately update all CrushFTP installations to version 10.8.4 or later or 11.3.1 or later. Only obtain updates from the official CrushFTP website. Deploy patches: CrushFTP doesn’t have automatic updates, so enterprises need to apply proactive, centralized patching. Verify updates: Ensure updates are successfully applied across your environment. Be proactive with security measures and hardening Enforce strong passwords: Mandate strong, unique passwords for all CrushFTP accounts, especially administrators. Monitor logs comprehensively: Actively monitor CrushFTP server logs (especially \logs\session_logs) for suspicious activity, like new accounts, unusual access, or RMM tool deployments. Layer your security: Employ strong email and web filtering, advanced endpoint detection and response (EDR), and network segmentation. Restrict network access: Limit CrushFTP access to only trusted clients and IP ranges. Assess and remediate compromise Applying the patch alone will not remove any existing access gained by attackers who exploited the vulnerability before the software update. Given active exploitation has been confirmed, you should assume potential prior compromise and take the following steps: Assess for unauthorized access: If you were running a vulnerable version, conduct a thorough assessment immediately for signs of compromise going back to at least March 30, 2025. Conduct forensic analysis: Examine server logs for new user accounts, modified user properties, or deployed RMM tools and malware. Remediate existing compromises: Remove unauthorized accounts, change all legitimate CrushFTP passwords, and remove any deployed malware. If necessary, restore systems from clean, verified backups. Address legal obligations: If a data breach is confirmed, promptly fulfill data protection (e.g. GDPR) and industry-specific regulatory obligations, including potential notifications. This vulnerability highlights the need to continuously monitor systems, stay informed about threats, and adopt a layered security approach to protect critical infrastructure. Conclusion The critical CrushFTP vulnerability puts a spotlight on the fast-paced world of cyber threats. In addition to patching and implementing security processes, it’s vital to run organizational exercises. Regularly practicing incident response through drills and simulations helps your team reinforce existing policies and processes. This preparation allows them to respond effectively when similar vulnerabilities emerge, reducing potential harm and protecting sensitive data. Share your thoughts Has your business been affected by the CVE-2025-31161 flaw or something similar? How do you stay up to date with the latest cyber threats and keep your team alert to risks? Let us know in the comments below.New CTI Labs: BadSuccessor: Offensive and Defensive
Two days ago, Akamai released a technical research blog post detailing a privilege escalation vulnerability in Windows Server 2025. This vulnerability abuses delegated Managed Service Accounts (dMSAs), and with the right base permissions, it could allow a user to gain domain admin permissions or even dump the NTLM hashes for all users in the domain. There is no patch available, and this would be considered a public zero-day. Why are these labs important? Many organisations use a Windows Domain to manage their users and accounts. This newly announced zero-day has no patch and no known detections in SIEMs. A combination of these labs will allow organisations to identify any potentially weak configurations vulnerable to exploitation and how to threat hunt in a SIEM to identify signs of exploitation. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Pentesters / Red Teams Here is the link to the analysis lab: BadSuccessor – Offensive BadSuccessor – DefensiveNew CTI Lab: Sandworm Campaign: ZEROLOT Wiper
ESET released a new APT threat report today, and amongst the information was a new malware wiper used to attack critical national infrastructure. However, this malware has not been reported on at all. It has been successfully deployed amongst many organizations, but no analysis has been released. Therefore, we are releasing a SIEM analysis to help our customers create threat detections for this destructive malware. The threat actor in question is Sandworm Team, a state-sponsored APT group that has been active since at least 2009. Known for highly destructive cyber campaigns, the group has targeted critical infrastructure. In this lab, you'll be exposed to one of Sandworm's latest campaigns, where they use remote management tools to facilitate the deployment of a new wiper, Zerolot. Why is this lab important? Many of our customers have asked for an analysis of wiper malware, and the destructive nature of this malware worries organizations around the world. This new strain, which has been deployed numerous times successfully since December 2024, needs effective threat detection to ensure security teams are prepared for this threat. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the analysis lab: Sandworm Campaign: ZEROLOT WiperNew CTI Labs: Threat Actors Akira and DragonForce
These labs will highlight the background and TTPs of Akira, a highly prolific threat actor with indiscriminate targeting, and DragonForce, a ransomware actor recently in the news, connected to the attacks on M&S, Co-op, and Harrods. Why are these labs important? Akira is one of the most prolific threat actors that does not discriminate in its targeting. It often targets medium to large enterprises worldwide, with a strong focus on North America and Europe, including the UK. This means that no one is exempt from Akira's targeting in the future, so knowing your TTPs and how to prepare for attacks from threat actors is paramount to keeping your organization safe. Throughout late April 2025, DragonForce has been all over the news since they claimed responsibility for being involved in the attacks against Marks and Spencer, Co-Op, and Harrods in the UK. The information in the labs reflects DragonForce's latest known TTPs and helps customers to stay one step ahead of actors like DragonForce. Who are these labs for? These labs deliver the latest information relating to threat actors and their TTPs. The personas who would benefit the most from these labs are: Cyber Threat Intelligence Analysts SOC Analysts Incident Responders Threat Hunters Here are the links to the labs: Threat Actors: Akira Ransomware Groups: DragonForceNew CTI Lab: CVE-2025-35433 (Erlang SSH): Offensive
On April 16, 2025, a critical vulnerability, identified as CVE-2025-32433, was disclosed in the Erlang/OTP SSH server. This critical vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems by sending specially crafted SSH messages before authentication. After these messages have been sent, attackers have code execution on the victim machine. This lab will walk you through the mechanics of this vulnerability, helping you understand its implications and learn how an attacker could exploit it. Why is this lab important? Given Erlang's widespread use in telecommunications, IoT, and distributed systems, this vulnerability poses a significant risk to victims in multiple sectors and industries. Customers using Erlang should assess its vulnerability status and patch as soon as practicable. Who is this lab for? This lab is an offensive CTI lab, so it primarily benefits penetration testers and red teamers. That said, it's still incredibly valuable for defensive personas as well, so they can see how the attack could work. These personas include: SOC Analysts Incident Responders Threat Hunters Here is the link to the lab: https://iml.immersivelabs.online/v2/labs/cve-2025-35433-erlang-ssh-offensiveNew CTI Labs: CVE-2025-31161 (CrushFTP): Defensive and CVE-2025-31161 (CrushFTP): Offensive
On the 7th April 2025, a vulnerability in the CrushFTP was added to the CISA Kev Catalogue, CrushFTP is an enterprise FTP solution with tens of thousands of instances publicly accessible online. Recent reporting has confirmed that since a proof-of-concept dropped, there has been an uptick in this vulnerability being exploited in the wild. Successful exploitation of this critical vulnerability allows attackers to achieve code execution, file upload, and download, as well as create backdoor accounts. Why should our customers care? As a critical vulnerability with a CVSS base score of 9.8, with no user interaction required, this vulnerability represents a significant impact to customers using CrushFTP or other, similar file transfer solutions. The addition of vulnerabilities to the CISA KEV catalog shows how serious it is and how important it is to patch against the vulnerability, given that the attacker could upload files, achieve persistently, and backdoors onto the server. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Penetration Testers System Administrators Here are the links to the labs: CVE-2025-31161 (CrushFTP): Offensive CVE-2025-31161 (CrushFTP): Defensive In addition, we've released a proof-of-concept script to demonstrate how an attacker could exploit this vulnerability: https://github.com/Immersive-Labs-Sec/CVE-2025-31161New CTI Labs: Water Gamayun: (CVE-2025-26633) Campaign Analysis
Water Gamayun, also known as EncryptHub and Larva-208, is a threat actor (suspected to be of Russian origin) that has been observed exploiting a zero-day vulnerability in the Microsoft Management Console (MMC). This vulnerability has been dubbed MSC EvilTwin and assigned CVE-2025-26633. This lab takes you through the campaign, explaining how the vulnerability works to allow the attacker to silently execute malicious code, and what actions on objective the threat actor performs. Why should our customers care? EncryptHub has been reported to have breached over 618 organizations to deploy StealC, SilentPrism, and ransomware for the purposes of maintaining persistence, stealing data, and causing severe operational disruption; therefore, our customers should be mindful of this threat actor and their tactics. Their use of a zero day vulnerability shows how standard Windows configurations can be abused by threat actors to silently transport this malware into a victims environment to allow attackers to fulfil their operational objectives. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the campaign analysis lab: https://immersivelabs.online/labs/water-gamayun-campaign-analysis
