Daily Briefing for 04.03.25

At a glance.

• Attackers exploit critical CrushFTP vulnerability following disclosure mix-up.
• CISA says fast flux technique poses threat to national security.
• Hunters International group plans to rebrand as extortion-only operation.

Attackers exploit critical CrushFTP vulnerability following disclosure mix-up.

Outpost24 has published a blog post on the "disclosure mess" surrounding a critical vulnerability (CVE-2025-31161) affecting the CrushFTP file transfer service, which is now being exploited in attacks. CrushFTP issued a patch for the flaw on March 21st, while a CVE identifier was still pending with MITRE. Several days later, vulnerability intelligence firm VulnCheck, which is a CVE Numbering Authority, gave the flaw the identifier CVE-2025-2825. Outpost24, which discovered and responsibly disclosed the flaw, had agreed to wait 90 days before disclosing details, but other security firms began analyzing the issue following VulnCheck's classification. A proof-of-concept exploit is now available. MITRE assigned the vulnerability the identifier CVE-2025-31161 on March 27th.

Outpost24 states, "The vulnerability is now being exploited by remote attackers, who are using it to gain unauthenticated access to devices running unpatched versions of CrushFTP v10 or v11. There have been over 1,500 vulnerable instances exposed online. The threat is particularly concerning as file transfer products like CrushFTP are often targeted by ransomware gangs. CrushFTP has released patches to address the issue, and the recommended action is to immediately update to version 10.8.4 or 11.3.1 and later."

CISA says fast flux technique poses threat to national security.

The US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and other Five Eyes partners have issued a joint advisory on "fast flux," a technique used by threat actors "to obfuscate the locations of malicious servers by rapidly changing DNS records." The agencies say this technique "poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection."

The advisory states, "The authoring agencies encourage organizations to use cybersecurity and [Protective DNS] services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment. However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat."

Hunters International group plans to rebrand as extortion-only operation.

The Hunters International ransomware-as-a-service (RaaS) group plans to shut down and rebrand as "World Leaks," an extortion-only operation, according to researchers at Group-IB. Group-IB states, "From the administrator’s perspective, ransomware is no longer profitable and risky. As a result, the operators released a new project on 1 January 2025 called World Leaks. Instead of conducting double extortion, the operation will shift to extortion-only attacks. The criminals collaborating with the group will be provided with a purportedly self-developed exfiltration tool designed to automate the process of data exfiltration in the victims networks."