F5 Threat Report - November 19th, 2025

CISA Flags Imminent Threat As Akira Ransomware Starts Hitting Nutanix AHV

The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and European law enforcement, has issued an updated advisory on the Akira ransomware operation, noting its expansion to target Nutanix AHV virtual machines. This development follows observations of attacks against Nutanix hypervisors since June, adding to Akira's previous targeting of VMware ESXi and Hyper-V environments. The group, which has extorted an estimated $244.17 million, primarily gains initial access by exploiting vulnerabilities in VPN products, specifically citing CVE-2024-40766 in misconfigured SonicWall SSL-VPNs, as well as through compromised VPN credentials, brute-forcing VPN endpoints, password spraying, and exploiting SSH protocol vulnerabilities. After initial access, Akira actors move laterally, exploiting publicly known vulnerabilities in Veeam Backup and Replication servers, such as CVE-2023-27532 and CVE-2024-40711, before deploying encryption payloads on Nutanix AHV platforms. Akira, which emerged in 2023 as a Conti offshoot, has targeted critical sectors including manufacturing, education, healthcare, and finance, with notable victims including Lush, Stanford University, and the Toronto Zoo. Recommended mitigations include patching known exploited vulnerabilities, deploying multi-factor authentication, enforcing strong password policies, maintaining offline backups, and implementing network segmentation.

Severity: Critical

Sources

• https://cyberpress.org/akira-ransomware-cisa-report/
• https://cyberscoop.com/akira-ransomware-fbi-cisa-joint-advisory/
• https://gbhackers.com/akira-ransomware-2/
• https://industrialcyber.co/cisa/akira-ransomwares-evolving-tactics-prompt-global-agencies-to-strengthen-critical-infrastructure-guidance/
• https://osintteam.blog/critical-3-894-sonicwall-ssl-vpns-at-risk-of-overstep-exploit-and-mfa-bypass-9ce1489aff84
• https://thecyberexpress.com/akira-ransomware-group-cisa-warning/
• https://thecyberexpress.com/ransomware-targets-apac-region/
• https://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/
• https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-release-advisory-update-akira-ransomware
• https://www.helpnetsecurity.com/2025/11/06/sonicwall-cloud-backup-hack-was-the-work-of-a-state-actor/
• https://www.hendryadrian.com/akira-ransomware-group-poses-imminent-threat-to-critical-infrastructure-cisa/
• https://www.hendryadrian.com/ransom-apache-openoffice/
• https://www.hipaajournal.com/wakefield-associates-data-breach/
• https://www.infosecurity-magazine.com/news/akira-ransomware-244m-in-illicit/
• https://www.safebreach.com/blog/safebreach-coverage-for-updated-cisa-aa24-109a-akira-ransomware/
• https://www.securityweek.com/akira-ransomware-group-made-244-million-in-ransom-proceeds/
• https://www.techradar.com/pro/security/akira-ransomware-is-now-targeting-nutanix-vms-and-scoring-big-rewards
• https://www.theregister.com/2025/11/14/cisa_akira_ransomware/

Threat Details and IOCs

Mitigation Advice

• Immediately patch all SonicWall SSL-VPN devices to remediate vulnerability CVE-2024-40766.
• Apply patches to all Veeam Backup and Replication servers to remediate CVE-2023-27532.
• Apply patches to all Veeam Backup and Replication servers to remediate the critical remote code execution vulnerability CVE-2024-40711.
• Audit Nutanix AHV hypervisor logs for any unauthorized access, unexpected VM modifications, or other anomalous activity.
• Review VPN access logs for signs of brute-force attacks, password spraying, or logins from unusual geographic locations or at unusual times.
• Scan the network perimeter for any exposed SSH services on routers or other network devices and disable them or restrict access to trusted IP addresses immediately.

Compliance Best Practices

• Develop a plan to deploy phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2/WebAuthn, for all remote access services, including VPNs, SSH, and cloud services.
• Implement a network segmentation architecture to isolate critical infrastructure, such as hypervisor management networks (Nutanix, VMware, Hyper-V) and backup servers, from the general user and server networks.
• Enforce a strict password policy that requires long, unique passphrases for all accounts and deploy a credential monitoring service to detect when employee credentials appear in public data breaches.
• Review and redesign the backup and recovery strategy to ensure that critical data backups are stored offline or in an immutable cloud storage tier, and regularly test the restoration process.
• Establish a continuous attack surface management program to regularly identify, assess, and remediate all internet-facing services and systems.

---

RONINGLOADER Uses Signed Drivers to Disable Microsoft Defender and Bypass EDR

Elastic Security Labs has uncovered RONINGLOADER, a sophisticated multi-stage loader attributed to the Dragon Breath APT group (APT-Q-27), primarily targeting Chinese-speaking users through trojanized installers masquerading as legitimate software like Google Chrome and Microsoft Teams. This campaign weaponizes legitimately signed kernel drivers, specifically `ollama.sys` issued by Kunming Wuqi E-commerce Co., Ltd., to terminate security processes including Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, Qihoo 360 Total Security, and Huorong Security from kernel mode. RONINGLOADER further employs Protected Process Light (PPL) abuse, leveraging `ClipUp.exe` to overwrite `MsMpEng.exe` and disable Microsoft Defender, alongside deploying custom unsigned Windows Defender Application Control (WDAC) policies to block other security solutions. The attack chain also utilizes phantom DLL side-loading, thread pool injection, and firewall manipulation, ultimately injecting a modified gh0st RAT as its final payload. This RAT maintains C2 communication over encrypted TCP channels and performs keystroke logging, clipboard hijacking, and cryptocurrency wallet monitoring, particularly for MetaMask and Telegram interactions, signifying a notable advancement in APT capabilities through sophisticated abuse of legitimate Windows features and signed drivers to neutralize endpoint security.

Severity: Critical

Sources

• https://gbhackers.com/roningloader/
• https://www.hendryadrian.com/roningloader-dragonbreaths-new-path-to-ppl-abuse/

Threat Details and IOCs

Mitigation Advice

• Create a block rule in your endpoint security software to deny the execution of any files signed by the certificate issued to "Kunming Wuqi E-commerce Co., Ltd.".
• Use endpoint detection and response (EDR) or system management tools to scan all endpoints for the presence of the file `ollama.sys`.
• Create a detection rule in your EDR or SIEM to alert on the `ClipUp.exe` process attempting to write to or modify the `MsMpEng.exe` file located in the Microsoft Defender program directory.
• Configure file integrity monitoring (FIM) to alert on the creation or modification of files, particularly `.p7b` files, within the `C:\Windows\System32\CodeIntegrity\` directory.

Compliance Best Practices

• Implement Windows Defender Application Control (WDAC) in enforcement mode to create an application allowlist, ensuring only approved applications, scripts, and installers can execute.
• Use Windows Defender Application Control (WDAC) to establish a strict policy that blocks all kernel-mode drivers by default and only allows the execution of explicitly approved drivers required for operations.
• Establish a recurring security awareness training program focused on identifying and avoiding phishing attempts and the risks of downloading and installing software from unofficial websites.
• Enable and enforce tamper protection features for all endpoint security solutions, including Microsoft Defender and third-party EDR agents, to prevent their services and configurations from being disabled.
• Develop and tune correlation rules in your SIEM to detect attack sequences, such as an NSIS installer execution followed by the creation of a new system service and the loading of a new kernel driver.

---

Fortinet FortiWeb Flaw Actively Exploited in the Wild before Company's Silent Patch

An authentication bypass vulnerability in Fortinet FortiWeb Web Application Firewall (WAF) is being actively exploited in the wild, allowing attackers to create new administrator accounts and fully compromise devices. This flaw, silently patched in FortiWeb version 8.0.2, enables privileged actions through an HTTP POST request to the `/api/v2.0/cmdb/system/admin?/../../../../../cgi-bin/fwbcgi` endpoint. Observed exploitation includes the creation of admin accounts with usernames and passwords such as "Testpoint / AFodIUU3Sszp5" and "trader1 / 3eMIXX43." Cybersecurity researchers have reproduced the vulnerability, developed a proof-of-concept, and released an artifact generator tool to identify susceptible devices. Organizations running FortiWeb versions prior to 8.0.2 are urged to apply patches immediately, as unpatched systems are likely already compromised, though Fortinet has not yet assigned a CVE identifier or issued an official advisory.

Severity: Critical

Sources

• https://buaq.net/go-375655.html
• https://cyberpress.org/fortinet-fortiweb-zero-day-exploited/
• https://gbhackers.com/fortinet-fortiweb-zero-day-exploited/
• https://socradar.io/fortiweb-path-traversal-exploit-actively-targeted/
• https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html
• https://www.helpnetsecurity.com/2025/11/14/fortinet-fortiweb-zero-day-exploited/
• https://www.techzine.eu/news/security/136346/fortiweb-vulnerability-actively-exploited-to-create-admin-accounts/

Threat Details and IOCs

Mitigation Advice

• Immediately upgrade all Fortinet FortiWeb appliances to version 8.0.2 or a later version.
• Audit all Fortinet FortiWeb devices for any unauthorized administrator accounts, specifically searching for the usernames 'Testpoint', 'trader1', 'trader', 'test1234point', or any other recently created, unknown admin users.
• Create a detection rule in your SIEM to generate a high-priority alert for any inbound HTTP POST requests to URI paths containing '/cgi-bin/fwbcgi' targeting FortiWeb devices.
• Implement a blocking rule on your network IPS or edge firewall to deny inbound HTTP POST requests to the URI path '/api/v2.0/cmdb/system/admin?/../../../../../cgi-bin/fwbcgi'.
• Use a vulnerability scanner or the publicly available proof-of-concept tools to scan your network and identify all Fortinet FortiWeb appliances that have not been patched to version 8.0.2.

Compliance Best Practices

• Implement a network security policy to ensure administrative interfaces for all critical appliances, including FortiWeb, are not exposed to the public internet and are only accessible from a secure, segregated management network or via a VPN with multi-factor authentication.
• Establish a formal threat intelligence process that incorporates monitoring of security researcher publications, technical forums, and third-party reports in addition to official vendor security advisories.
• Configure all critical network devices, including FortiWeb, to send system and audit logs to a centralized SIEM, and create an automated alerting rule to trigger an investigation whenever a new user account with administrative privileges is created.

---

Palo Alto PAN-OS Flaw Lets Attackers Force Firewall Reboots via Malicious Packets

Palo Alto Networks has disclosed a denial-of-service vulnerability, CVE-2025-4619, in its PAN-OS software, impacting PA-Series and VM-Series firewalls, as well as Prisma Access deployments. This flaw allows unauthenticated attackers to force firewalls into unexpected reboots and potentially maintenance mode by sending specially crafted network packets through the data plane, thereby disrupting network security operations. Exploitation requires the firewall to be configured with URL proxy functionality or a decrypt policy. The vulnerability carries a CVSS 4.0 score of 6.6 (base 8.7), indicating a high product availability impact and low attack complexity, requiring no user interaction or privileges. Affected versions include specific builds of PAN-OS 10.2, 11.1, and 11.2, while PAN-OS 10.1, 11.2.5 or later, 12.1, and Cloud NGFW deployments are not vulnerable. Organizations should prioritize patching to fixed versions, such as 11.2.2-h2, 11.2.3-h6, 11.2.4-h4, or 11.2.5+ for PAN-OS 11.2; 11.1.2-h18 or later for PAN-OS 11.1; and 10.2.14 or later for PAN-OS 10.2, although no active exploitation has been reported as of November 12, 2025.

Severity: Critical

Sources

• https://cyberpress.org/palo-alto-pan-os-vulnerability/
• https://gbhackers.com/palo-alto-pan-os-flaw/
• https://securityonline.info/pan-os-flaw-cve-2025-4619-allows-unauthenticated-firewall-reboot-via-single-crafted-packet/
• https://security.paloaltonetworks.com/CVE-2025-4619
• https://www.hkcert.org/security-bulletin/palo-alto-pan-os-denial-of-service-vulnerability_20251113

Threat Details and IOCs

Mitigation Advice

• Identify all Palo Alto Networks PA-Series and VM-Series firewalls currently deployed in the environment.
• For all identified Palo Alto firewalls, verify if they are configured with either 'URL proxy functionality' or a 'decrypt policy'.
• Upgrade all vulnerable firewalls running affected PAN-OS 11.2 versions to 11.2.5 or a later patched release.
• Upgrade all vulnerable firewalls running affected PAN-OS 11.1 versions to 11.1.2-h18 or a later patched release.
• Upgrade all vulnerable firewalls running affected PAN-OS 10.2 versions to 10.2.14 or a later patched release.
• Implement monitoring and alerting for unexpected reboots or maintenance mode transitions on all Palo Alto firewalls.

Compliance Best Practices

• Develop and implement a comprehensive patch management policy for all network infrastructure devices, defining timelines and procedures for testing and deploying security updates.
• Review the architecture of critical network segments and implement high-availability (HA) configurations for firewalls to ensure redundancy and failover capabilities.
• Enhance network segmentation and implement strict access control lists (ACLs) to limit access to firewall data plane interfaces from untrusted or unnecessary network zones.
• Establish a quarterly review process to audit firewall configurations and disable any non-essential features or policies to adhere to the principle of least functionality.

---

Clop Ransomware Steals HR Data From Washington Post's Oracle E-Business Suite

The Washington Post confirmed that human resources data for 9,720 current and former employees and contractors was stolen from its Oracle E-Business Suite environment. This incident is linked to a data theft and extortion campaign by the Clop ransomware group, which exploited a zero-day vulnerability, CVE-2025-61882, affecting Oracle E-Business Suite. A "bad actor" first contacted the company on September 29, leading to an investigation that determined unauthorized access to its Oracle environment occurred between July 10 and August 22. The compromised data includes names, bank account numbers, routing numbers, and Social Security numbers. Oracle disclosed and patched the vulnerability on October 4, and other organizations, such as Envoy Air and GlobalLogic, have also been impacted by this campaign. Clop, known for exploiting vulnerabilities in file-transfer services and demanding ransom, typically threatens to leak stolen data if payment is not received.

Severity: Critical

Sources

• https://buaq.net/go-370502.html
• https://buaq.net/go-375605.html
• https://cyberinsider.com/washington-post-breach-exposed-financial-data-of-nearly-10k-staff/
• https://cyberpress.org/cisa-alerts-oracle-ebs-ssrf-flaw/
• https://cyberpress.org/joins-expanding-oracle-e-busines/
• https://cyberpress.org/ransomware-zero-day-exploits/
• https://cyberscoop.com/globallogic-oracle-clop-attacks/
• https://cyberscoop.com/washington-post-oracle-clop-attacks/
• https://gbhackers.com/cisa-warns-oracle-e-business-suite-ssrf-vulnerability/
• https://gbhackers.com/clop-ransomware/
• https://hackread.com/cl0p-ransomware-nhs-uk-washington-post-breach/
• https://hackread.com/envoy-air-american-airlines-oracle-ebs-0-day-breach-cl0p/
• https://osintteam.blog/oracle-ebs-runtime-interface-vulnerability-leads-to-data-exposure-cve-2025-61884-1fa051587de2
• https://sploitus.com/exploit?id=1E56917A-ED01-57AE-ADD8-99431AD8EB1A
• https://thecyberexpress.com/cisa-microsoft-apple-oracle-vulnerabilities/
• https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/
• https://www.bleepingcomputer.com/news/security/cisa-confirms-hackers-exploited-oracle-e-business-suite-ssrf-flaw/
• https://www.bleepingcomputer.com/news/security/globallogic-warns-10-000-employees-of-data-theft-after-oracle-breach/
• https://www.bleepingcomputer.com/news/security/washington-post-data-breach-impacts-nearly-10k-employees-contractors/
• https://www.darkreading.com/vulnerabilities-threats/oracle-ebs-attack-victims-more-numerous-expected
• https://www.hendryadrian.com/american-airlines-subsidiary-envoy-air-hit-by-oracle-hack/
• https://www.hendryadrian.com/cisa-confirms-hackers-exploited-oracle-e-business-suite-ssrf-flaw/
• https://www.hendryadrian.com/ransom-ansell-com/
• https://www.hendryadrian.com/ransom-davidyurman-com/
• https://www.hendryadrian.com/ransom-entrust-com/
• https://www.hendryadrian.com/ransom-fluke-com/
• https://www.hendryadrian.com/ransom-forbesmarshall-com/
• https://www.hendryadrian.com/ransom-helixesg-com/
• https://www.hendryadrian.com/ransom-integralife-com/
• https://www.hendryadrian.com/ransom-kirbycorp-com/
• https://www.hendryadrian.com/ransom-maritz-com/
• https://www.hendryadrian.com/ransom-mastec-com/
• https://www.hendryadrian.com/ransom-pens-com/
• https://www.hendryadrian.com/ransom-sato-global-com/
• https://www.hendryadrian.com/ransom-tpicomposites-com/
• https://www.hendryadrian.com/ransom-washingtonpost-com/
• https://www.hendryadrian.com/ransom-zanaco-co-zm/
• https://www.metacurity.com/chinese-state-hackers-used-anthropic-to-automate-cyber-intrusions/
• https://www.scworld.com/news/envoy-air-confirms-breach-tied-to-oracle-ebs-zero-day-vulnerability
• https://www.scworld.com/news/washington-post-latest-victim-of-oracle-ebs-zero-day-attacks
• https://www.securityweek.com/american-airlines-subsidiary-envoy-air-hit-by-oracle-hack/
• https://www.securityweek.com/cisa-confirms-exploitation-of-latest-oracle-ebs-vulnerability/
• https://www.securityweek.com/nearly-30-alleged-victims-of-oracle-ebs-hack-named-on-cl0p-ransomware-site/
• https://www.theregister.com/2025/11/10/allianz_uk_joins_growing_list/
• https://www.theregister.com/2025/11/11/hitachiowned_globallogic_admits_data_stolen/

Threat Details and IOCs

Mitigation Advice

• Immediately apply the Oracle security patch for CVE-2025-61882 to all Oracle E-Business Suite instances in the environment.
• Conduct a threat hunt within the Oracle E-Business Suite environment, searching logs and system files for indicators of compromise associated with the Clop ransomware group and CVE-2025-61882 exploitation.
• Review and restrict all external network access to the Oracle E-Business Suite environment, ensuring only essential and authorized connections are permitted.

Compliance Best Practices

• Establish a formal vulnerability management program that includes automated asset discovery, regular vulnerability scanning, risk-based prioritization, and defined service-level agreements (SLAs) for patching.
• Implement data-at-rest encryption for databases containing sensitive employee and customer information, such as the data stored in HR and financial applications.
• Develop and implement a network segmentation strategy to isolate critical enterprise applications, such as ERP systems, from general corporate and user networks.
• Develop and regularly test a formal incident response plan that includes specific playbooks for data breach scenarios involving critical business applications.
• Establish a third-party risk management program to evaluate the security practices of critical software vendors and service providers.

---