Date: 05/30/2025
Severity: Medium
Summary
A China-nexus threat actor is actively exploiting a critical vulnerability (CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. The flaw, when chained with CVE-2025-4427, enables unauthenticated remote code execution on vulnerable systems. Exploitation has been observed since May 15, 2025, targeting internet-facing Ivanti EPMM instances. Affected sectors include healthcare, finance, defense, telecommunications, aviation, and municipal governments across Europe, North America, and the Asia-Pacific region.
Indicators of Compromise (IOC) List
URL/Domain | openrbf.s3.amazonaws.com tnegadge.s3.amazonaws.com fconnect.s3.amazonaws.com trkbucket.s3.amazonaws.com the-mentor.s3.amazonaws.com tkshopqd.s3.amazonaws.com http://abbeglasses.s3.amazonaws.com/dSn9tM https://dpaste.com/9MQEJ6VYR.txt ns1.cybertunnel.run |
IP Address | 103.244.88.125 27.25.148.183 146.70.87.67 124.223.202.90 |
Hash | 44c4a0d1826369993d1a2c4fcc00a86bf45723342cfd9f3a8b44b673eee6733a
7a4e0eb5fbab9709c8f42beb322a5dfefbc4ec5f914938a8862f8e26a31d30a5
f34db4ea8ec3c2cbe53fde3d73229ccaa2a9e7168cd96d9a49bf89adef5ab47c
150ccd3b24a1b40630e46300100a3f810aa7a6badeb6806b59ed6ba7bafb7b21
29ae4fa86329bf6d0955020319b618d4c183d433830187b80979d392bf159768
64764ffe4b1e4fc5b9fe27b513e02f0392f659c4e033d23a4ba7a3b7f20c6d30
b422645db18e95aa0b4daaf5277417b73322bed306f42385ecfd6d49be26bfab
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "tkshopqd.s3.amazonaws.com" or siteurl like "tkshopqd.s3.amazonaws.com" or url like "tkshopqd.s3.amazonaws.com" or domainname like "http://abbeglasses.s3.amazonaws.com/dSn9tM" or siteurl like "http://abbeglasses.s3.amazonaws.com/dSn9tM" or url like "http://abbeglasses.s3.amazonaws.com/dSn9tM" or domainname like "the-mentor.s3.amazonaws.com" or siteurl like "the-mentor.s3.amazonaws.com" or url like "the-mentor.s3.amazonaws.com" or domainname like "trkbucket.s3.amazonaws.com" or siteurl like "trkbucket.s3.amazonaws.com" or url like "trkbucket.s3.amazonaws.com" or domainname like "openrbf.s3.amazonaws.com" or siteurl like "openrbf.s3.amazonaws.com" or url like "openrbf.s3.amazonaws.com" or domainname like "tnegadge.s3.amazonaws.com" or siteurl like "tnegadge.s3.amazonaws.com" or url like "tnegadge.s3.amazonaws.com" or domainname like "fconnect.s3.amazonaws.com" or siteurl like "fconnect.s3.amazonaws.com" or url like "fconnect.s3.amazonaws.com" or domainname like "https://dpaste.com/9MQEJ6VYR.txt" or siteurl like "https://dpaste.com/9MQEJ6VYR.txt" or url like "https://dpaste.com/9MQEJ6VYR.txt" or domainname like "ns1.cybertunnel.run" or siteurl like "ns1.cybertunnel.run" or url like "ns1.cybertunnel.run |
Detection Query 2 : | dstipaddress IN ("103.244.88.125","27.25.148.183","146.70.87.67","124.223.202.90") or srcipaddress IN ("103.244.88.125","27.25.148.183","146.70.87.67","124.223.202.90") |
Detection Query 3 : | sha256hash IN ("b422645db18e95aa0b4daaf5277417b73322bed306f42385ecfd6d49be26bfab","f34db4ea8ec3c2cbe53fde3d73229ccaa2a9e7168cd96d9a49bf89adef5ab47c","64764ffe4b1e4fc5b9fe27b513e02f0392f659c4e033d23a4ba7a3b7f20c6d30","44c4a0d1826369993d1a2c4fcc00a86bf45723342cfd9f3a8b44b673eee6733a","7a4e0eb5fbab9709c8f42beb322a5dfefbc4ec5f914938a8862f8e26a31d30a5","29ae4fa86329bf6d0955020319b618d4c183d433830187b80979d392bf159768","150ccd3b24a1b40630e46300100a3f810aa7a6badeb6806b59ed6ba7bafb7b21")
|
Reference:
https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability