Full Report
Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q3 2025, a report built on frontline threat intelligence from our global incident response investigations, enriched by noteworthy detections from our SOC.
Analysis Summary
# Tool/Technique: CVE-2024-40766 Exploitation
## Overview
Exploitation of **CVE-2024-40766** in **SonicWall SonicOS** was observed as an initial access vector used by the **Akira** ransomware group to gain unauthorized access to organizational networks. This vulnerability impacts SSL VPN functionality.
## Technical Details
- Type: Vulnerability Exploitation (CVE)
- Platform: SonicWall SonicOS (Firewalls/SSL-VPN)
- Capabilities: Granting unauthorized access, often leveraged for pre-positioning or credential harvesting leading toward ransomware deployment.
- First Seen: Q3 2025 (as per context of observations within this period).
## MITRE ATT&CK Mapping
* T1190 - *Initial Access*
- T1190.002 - Exploit Public-Facing Application
## Functionality
### Core Capabilities
* Allows threat actors to bypass authentication or gain unauthorized sessions on SonicWall SSL-VPN gateways.
* Facilitated the initial compromise pathway for the Akira threat actor.
### Advanced Features
* Attacks observed are often successful even after patching if administrators fail to reset previously compromised SSL VPN credentials that were harvested during the exploitation window.
* Evidence suggests credentials migrated from older SonicWall devices, left unreset, were also utilized.
## Indicators of Compromise
- File Hashes: N/A (Focus is on vulnerability exploitation)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Specific C2/payload technical details were not provided in the summary, focus is on the initial access method)
- Behavioral Indicators: Non-standard login attempts or session activity related to SSL-VPN endpoints prior to a known compromise event.
## Associated Threat Actors
- Akira
## Detection Methods
- Signature-based detection: Signature updates targeting exploitation attempts against the CVE.
- Behavioral detection: Monitoring for successful VPN logins using credentials that appear stale or were harvested immediately following a known exploitation window for this CVE.
- YARA rules if available: N/A
## Mitigation Strategies
- Immediately patch all vulnerable SonicWall devices running affected SonicOS versions.
- **Crucially, force a reset of ALL SSL VPN credentials** on affected or potentially affected devices, including those migrated from older hardware, even if the device has been patched.
- Strengthen vulnerability patching and management programs, especially for high CVSS score CVEs (>9.5).
## Related Tools/Techniques
- Exploitation of other related SonicWall CVEs (e.g., CVE-2023-5970, CVE-2023-44221, CVE-2022-1703, CVE-2022-2915, CVE-2024-53704) listed in the report suggest a continuing focus on SonicWall platforms.
---
# Tool/Technique: LOLBINs (Living Off The Land Binaries)
## Overview
The increasing use of pre-installed, trusted system utilities (LOLBINs) by threat actors to execute malicious operations, evade detection, and maintain persistence. This trend observed in 17% of investigations in Q3 2025, up from 13% in H1 2025.
## Technical Details
- Type: Technique (Usage of legitimate binaries)
- Platform: Windows (Implied, as LOLBIN usage is predominantly discussed in the context of Windows forensics, though it can apply to other OSs)
- Capabilities: Execution of adversary actions without dropping native malware, blending in with legitimate system operations.
- First Seen: Ongoing (Usage increased in Q3 2025)
## MITRE ATT&CK Mapping
* T1218 - *System Binary Proxy Execution*
- T1218.001 - PsExec
- *Note: Numerous other techniques apply depending on the specific LOLBIN used. The report implies broader usage beyond specific examples.*
## Functionality
### Core Capabilities
- Execution of arbitrary commands under the guise of a trusted process.
- Evading signature-based security controls.
### Advanced Features
- Enhances stealth by reusing existing system tools for tasks like data staging, lateral movement, or privilege escalation.
## Indicators of Compromise
- File Hashes: N/A (Focus is on the process execution, not specific malicious files)
- File Names: System binaries being executed with anomalous command-line arguments or parent processes (e.g., `cmd.exe`, `powershell.exe`, `msbuild.exe` executing unexpected code).
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Unusual process lineage trees or execution patterns for common system utilities.
## Associated Threat Actors
- General threat landscape; observed in 17% of Q3 2025 investigations.
## Detection Methods
- Signature-based detection: Ineffective against the binary itself, must focus on command-line behavior.
- Behavioral detection: Crucial; monitoring process execution context, parent/child relationships, and command-line arguments for suspicious sequences.
- YARA rules if available: N/A
## Mitigation Strategies
- Strengthen behavioral monitoring and contextual analysis capabilities (e.g., modern EDR).
- Implement strict application control policies where possible.
- Focus on visibility into command-line arguments passed to system binaries.
## Related Tools/Techniques
- **Anydesk** (Remote Access Tool)
- **Netscan** (Likely a typo or internal reference, potentially overlapping with network scanning tools)
- **impacket** (Framework often used for credential manipulation and lateral movement)
- **pinggy** (Newer tool observed being adopted)
- **Mimikatz** (Credential stealing)
- **DCSync** (Credential/NTDS access technique)
- **WinRar** (Exfiltration tool)
- **WinSCP** (Exfiltration tool)
---
# Tool/Technique: New Persistence and Exfiltration Tools
## Overview
Threat actors are observed adopting newer tools for maintaining persistence and staging data exfiltration, alongside continued heavy use of established utilities. **Anydesk**, **Netscan**, **impacket**, and **pinggy** are noted for persistence, while **WinRar** and **WinSCP** continue to dominate exfiltration.
## Technical Details
- Type: Attack Tools (Persistence & Exfiltration)
- Platform: Windows (Implied by Mimikatz/DCSync associations)
- Capabilities: Establishing unauthorized remote access, performing post-exploitation activities, and securely moving data off the network.
- First Seen: Ongoing adoption in Q3 2025
## MITRE ATT&CK Mapping
* Persistence Mappings (Anydesk, Netscan, pinggy):
- T1547 - Boot or Logon Autostart Execution
- T1133 - External Control Service Session
* Exfiltration Mappings (WinRar, WinSCP):
- T1041 - Exfiltration Over C2 Channel
- T1567 - Exfiltration Over Web Service
## Functionality
### Core Capabilities (Persistence/Discovery/Lateral Movement)
- **Anydesk/Netscan/pinggy**: Establishing command and control (C2) channels or configuration for remote access/persistence.
- **impacket**: Used for advanced operations, often credential relay or manipulation using protocols like SMB/RPC.
### Advanced Features (Privilege Escalation & Exfiltration)
- **Mimikatz/DCSync**: Privilege execution focused on extracting credentials or domain secrets (e.g., hashes, cleartext passwords).
- **WinRar/WinSCP**: Compressing/packaging sensitive data and transferring it off the victim network.
## Indicators of Compromise
- File Hashes: N/A (Tool-specific hashes not provided)
- File Names: Presence of installers/executables related to Anydesk, WinSCP, or configuration files left by pinggy/impacket post-operation.
- Registry Keys: Keys related to persistent service installation for remote access tools.
- Network Indicators: Outbound connections to commonly associated C2 infrastructure for these specific tools (e.g., Anydesk C2 domains, if known).
- Behavioral Indicators: Execution chains involving credential harvesting leading into network transfers using archival tools.
## Associated Threat Actors
- Not explicitly named for these specific tool usages, but these techniques are common across ransomware and espionage groups.
## Detection Methods
- Signature-based detection: Signatures for known binaries of newer tools (e.g., pinggy).
- Behavioral detection: Alerting on the use of credential dumping tools (Mimikatz artifacts/behavior) followed immediately by archive creation (WinRar) and outbound file transfer (WinSCP).
- YARA rules if available: N/A
## Mitigation Strategies
- Strict network egress filtering to block unauthorized file transfer protocols or known C2 destinations.
- Harden systems against credential theft by implementing LSA protection and discontinuing legacy credential access methods (limiting DCSync abuse).
- Monitor for deployment and unusual execution patterns of legitimate remote access tools like Anydesk.
## Related Tools/Techniques
- LOLBIN usage (as the use of these tools often complements LOLBIN execution).
---
# Trend/Technique: MFA Bypass
## Overview
Despite a significant rise in Multi-Factor Authentication (MFA) implementation (up to 75% of observed organizations), the rate of successful MFA bypass also increased, indicating rising sophistication in TTPs aimed at circumventing this control.
## Technical Details
- Type: Technique
- Platform: All platforms utilizing MFA protocols (Web SSO, VPNs, Cloud Services).
- Capabilities: Bypassing the second factor of authentication to gain unauthorized access.
- First Seen: Ongoing (Significantly prevalent in Q3 2025)
## MITRE ATT&CK Mapping
* T1556 - *Authentication Bypass*
- T1556.003 - Multi-Factor Authentication (MFA) Tokens
- T1556.005 - Phishing for Privileges (Often linked to phishing kits)
## Functionality
### Core Capabilities
- **Phishing Kits**: Used to capture credentials and session tokens simultaneously.
- **Adversary-in-the-Middle (AiTM)**: Intercepting real-time authentication exchanges.
- **Session Token Interception**: Stealing valid session cookies after a successful MFA challenge.
### Advanced Features
- Attackers are successfully leveraging these techniques despite organizations increasing MFA deployment, suggesting they are targeting user interaction points rather than just brute-forcing the factor itself.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Connections originating from unexpected geographic locations or user agent strings immediately following a legitimate-looking MFA success event.
- Behavioral Indicators: User login successful on MFA prompt, followed immediately by unusual post-authentication activity from a different geographical location or endpoint.
## Associated Threat Actors
- General threat actors targeting initial access, including those conducting BEC.
## Detection Methods
- Signature-based detection: N/A
- Behavioral detection: Alerting on geographical anomalies or extremely rapid successive logins across different locations for the same account.
- YARA rules if available: N/A
## Mitigation Strategies
- Transition to **phishing-resistant MFA** forms (e.g., FIDO2/Passkeys) which are inherently resistant to AiTM and session interception.
- Implement Conditional Access Policies based on location, device trust, and risk scoring.
## Related Tools/Techniques
- Phishing techniques.