This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 3 minute read

Ankura CTIX FLASH Update - July 11, 2025

Malware Activity

 

How Sophisticated Attacks Undermine Modern Security Measures

Recent security research reveals that even robust Multi-Factor Authentication (MFA) systems can be compromised through tactics like MFA fatigue, session hijacking, and man-in-the-middle attacks. Exploiting protocol vulnerabilities and user behavior to bypass protections. Cybercriminals increasingly manipulate users into revealing authentication codes or intercepting session tokens. This renders MFA less effective and highlights the need for more advanced, context-aware authentication methods. Additionally, a new Android attack called TapTrap utilizes deceptive UI overlays to trick users into granting permission or clicking malicious links without awareness. It leverages Androidโ€™s UI layering to mask malicious prompts. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

 

Threat Actor Activity

 

Gold Melody IAB Gaining Unauthorized Access via Exposed ASP.NET Machine Keys

The Initial Access Broker (IAB), known as Gold Melody, has been linked to a campaign exploiting leaked ASP.NET machine keys to gain unauthorized access to organizations. This activity is tracked by Palo Alto Networks Unit 42 as TGR-CRI-0045, with the group also known as Prophet Spider and UNC961. Gold Melody has targeted sectors in Europe and the U.S., including financial services, manufacturing, and logistics, using opportunistic approaches. Microsoft first documented the abuse of ASP.NET machine keys in February 2025, identifying over 3,000 keys that can be weaponized for ViewState code injection attacks, leading to arbitrary code execution. The attacks were initially detected in December 2024, when a static ASP.NET machine key was used to inject malicious code and deliver the Godzilla post-exploitation framework. Unit 42's analysis indicates that TGR-CRI-0045 employs these leaked keys for ASP.NET ViewState deserialization, allowing malicious payloads to execute directly in server memory. This technique minimizes on-disk presence and forensic artifacts, bypassing many legacy EDR solutions. Organizations relying on file integrity monitoring or antivirus signatures may miss such intrusions, underscoring the need for behavioral detections based on anomalous IIS request patterns. A spike in activity was noted between late January and March 2025, with post-exploitation tools such as port scanners and bespoke C# programs deployed for local privilege escalation. The attacks typically involve command shell execution from IIS web servers, using tools like ysoserial.net for payload generation. These payloads bypass ViewState protections, executing .NET assemblies in memory. Gold Melody's approach to the ViewState exploitation involves loading a single, stateless assembly, requiring repeated exploitation for each command execution. This campaign highlights cryptographic key exposure threats. CTIX analysts recommend identifying and remediating compromised Machine Keys to strengthen application security and identity protection strategies.

 

Vulnerabilities

 

Unpatched Ruckus vSZ and RND Vulnerabilities Expose Enterprise Wireless Networks to Full Compromise

Multiple critical vulnerabilities affecting Ruckus Wirelessโ€™ Virtual SmartZone (vSZ) and Network Director (RND) remain unpatched, putting large-scale wireless infrastructures at severe risk of compromise. Discovered by Clarotyโ€™s Team82 and disclosed by Carnegie Mellonโ€™s CERT/CC, the flaws include authentication bypass, remote code execution (RCE), hardcoded SSH keys and JWT secrets, and weak password encryption (many of which can be chained for more devastating attacks). vSZ, capable of managing up to 10,000 access points, and RND, used for cluster management, are widely deployed in high-value environments like hospitals, schools, and smart cities. Notable CVEs include CVE-2025-44957, which enables administrator access via maliciously crafted HTTP headers and API keys; CVE-2025-44954, which allows root access using hardcoded SSH keys; and CVE-2025-44955, which provides a root-level jailbreak through a weak password. CERT/CC warns that attackers with network access could achieve a complete compromise yet attempts to engage Ruckus or parent company CommScope have gone unanswered. With no patches available, CTIX analysts urge administrators to isolate these systems and enforce secure, limited access until fixes are released.

 

๐Ÿ“ง Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

ยฉ Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

report, cybersecurity & data privacy, data & technology, cyber response, data privacy & cyber risk

Letโ€™s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

Iโ€™m interested in

I need help with