M-Trends 2025 Reveals Advanced Threat Actor Tactics and Expanding Attack Surfaces
Google’s Mandiant unit has released its M-Trends 2025 report, revealing that threat actors, particularly those tied to China, are increasingly deploying tailored malware ecosystems and leveraging zero-day vulnerabilities to maintain long-term access to compromised environments. These threat actors focus on edge devices that often lack visibility from endpoint security tools, using proxy-based infrastructures to avoid detection and extend dwell time. Many tools and payloads uncovered use custom obfuscation to bypass traditional defenses, signaling a shift toward stealth and persistence over speed. Despite the rise in high-complexity intrusions, many breaches still begin with basic errors—stolen credentials, unsecured cloud resources, and misconfigurations during migrations remain major contributors to enterprise compromise. The broad scope of affected industries—from financial services to high tech—underscores how attackers blend sophisticated and opportunistic methods to compromise a wide range of targets. The report also highlights key shifts in attacker behavior and operational timelines. Financially motivated groups now dominate the threat landscape, accounting for over half of active actors. At the same time, espionage-driven activity continues in parallel with ongoing operations from Iranian and North Korean-linked groups. The average global dwell time for attackers has climbed to 11 days, with significantly longer persistence when detection relies on external reporting. Web3 technologies and cloud single sign-on portals are emerging as attractive targets, allowing attackers to scale access once inside. Mandiant recommends reinforcing core security practices—prioritizing strong authentication, proactive threat hunting, and hardened system configurations—as foundational measures against these evolving threats. The report clarifies that organizations must stay agile and threat-informed to keep pace with the growing complexity and volume of attacks.
Update: Surge in Scanning Activity Targets Ivanti VPN Systems, Raising Alarm Over Potential Exploitation
A sharp increase in reconnaissance targeting Ivanti Connect Secure (ICS) and Pulse Secure (IPS) VPN systems has put defenders on high alert following a ninefold spike in suspicious scanning activity detected by threat intelligence firm GreyNoise. On April 18 alone, over 230 unique IP addresses probed ICS and IPS endpoints—an extreme deviation from the usual 30-per-day baseline—signaling potential early-stage planning for exploitation. The number of unique IPs engaged in this scanning activity over the past 90 days has reached 1,004, further indicating sustained and deliberate targeting of these remote access solutions. These systems, which are widely used in enterprise environments to support secure remote connectivity, continue to draw attention from threat actors due to their critical network positioning and access privileges. GreyNoise's analysis reveals that many probing IPs originate from Tor exit nodes and public cloud infrastructure, complicating attribution and blocking efforts. Notably, the scanners appear confident, using non-spoofed IP addresses, possibly indicating automated reconnaissance or an effort to avoid detection by blending into normal traffic. The geographic spread of source and destination IPs—the U.S., Germany, the U.K., and the Netherlands—demonstrates the global interest in exploiting Ivanti platforms. While no specific CVEs have yet been tied to the current spike, history shows that this activity often precedes the discovery and exploitation of zero-day vulnerabilities. With Ivanti systems previously implicated in major breaches, this sustained probing campaign raises concerns about impending threats to enterprises that rely on these platforms for remote access. While this type of scanning is often a precursor to more targeted activity, there is currently no evidence of an active threat or exploitation campaign impacting our client’s environment. This is not cause for immediate concern; it remains a relevant risk trend to monitor, given Ivanti’s history with zero-day exploits.
Update: Microsoft Resolves False Error Code in April 2025 WinRE Updates
Microsoft has resolved a known issue affecting the April 2025 Windows Recovery Environment (WinRE) updates that caused false installation failure messages labeled as error code 0x80070643. The error appeared during the installation of updates KB5057588 for Windows Server 2022 and KB5057589 for Windows 10 (versions 21H2 and 22H2), but it did not indicate an actual failure or impact on system functionality. Microsoft clarified that the issue was triggered when WinRE updates attempted to install while another update was awaiting a reboot, which led to the misleading message. Although the update was generally completed successfully after a system restart, the presence of the error confused administrators and users. The fix has now been rolled out, and future installations of these updates will no longer display the incorrect error notification. This isn’t the first time error code 0x80070643 has been linked to WinRE updates. A similar issue emerged in early 2024 when Microsoft asked users to manually resize WinRE partitions as a workaround, later retiring the faulty security updates entirely. The delay in resolving those earlier cases led to malicious actors exploiting the situation by distributing fake fixes embedded with information-stealing malware through fraudulent IT support websites. This history underscores the importance of clear communication and timely remediation when system errors are widely misinterpreted. Microsoft has since advised users to verify the update status using the DISM command line tool, ensuring peace of mind for those who applied the patch. The resolution of this issue helps reinforce the need for accurate update feedback mechanisms, especially in enterprise environments where deployment consistency is critical.
GitLab Issues Emergency Security Patch to Address Critical XSS and Account Takeover Risks
GitLab has issued an urgent security update affecting its Community (CE) and Enterprise (EE) editions, with new releases—17.11.1, 17.10.5, and 17.9.7—resolving five serious vulnerabilities. Three flaws are rated high severity, including two cross-site scripting (XSS) issues and a Network Error Logging (NEL) header injection vulnerability, all impacting the Maven dependency proxy. These issues could allow attackers to inject malicious scripts into users' browsers, track activity, and potentially hijack accounts. Medium-severity issues addressed include a denial-of-service vulnerability through issue preview abuse and an access control flaw exposing restricted branch names when repository assets are disabled. GitLab urges all self-managed users to update immediately, warning that delaying the upgrade leaves systems open to active exploitation vectors that could compromise project data or disrupt operations. GitLab[.]com and Dedicated customers are already secured against these vulnerabilities, but organizations running on-premise or unmanaged versions remain at risk. The XSS flaws (CVE-2025-1763 and CVE-2025-2443) allow remote attackers to bypass content security policies and inject scripts using crafted headers, while CVE-2025-1908 permits stealth browser tracking via NEL header manipulation. These issues underscore the growing complexity of supply chain risks within DevOps platforms. GitLab’s rapid response follows coordinated disclosures via its HackerOne program, with full technical details set to be published after a 30-day embargo. In the meantime, organizations must follow GitLab’s best practices and ensure their CI/CD environments are adequately secured to prevent future exploitation.
