Critical Infrastructure and Identity Systems Under Active Attack

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Critical Vulnerabilities in Widely Deployed Infrastructure

This trend encompasses the active exploitation of severe flaws in essential software and hardware platforms that form the core of enterprise IT, cloud, and communication networks.

• Citrix NetScaler ADC/Gateway RCE (CVE-2025-7775): A critical, actively exploited zero-day vulnerability (CVSS 9.8) affecting over 28,000 internet-facing instances globally. This flaw allows unauthenticated remote code execution on these vital network appliances, which are often used for VPN and load-balancing services, providing a direct gateway into corporate networks.
• Docker Desktop Privilege Escalation (CVE-2025-9074): A critical flaw (CVSS 9.3) in Docker Desktop for Windows and macOS that allows a malicious container to break isolation by accessing the unauthenticated Docker Engine API. This enables attackers to escalate privileges and achieve full control of the host operating system.
• FreePBX Zero-Day Exploitation: Active in-the-wild attacks targeting a zero-day vulnerability in the FreePBX Administrator Control Panel (ACP). When exposed to the internet, this flaw allows attackers to execute arbitrary commands, compromising entire VoIP systems, SIP trunks, and call centers.

2. Sophisticated Identity and Cloud Trust Abuse

Financially motivated threat actors are shifting from traditional ransomware deployment to more efficient “cloud-first” extortion, systematically exploiting weaknesses in hybrid identity management to seize control.

• Storm-0501’s Entra Connect Attack: This ransomware-as-a-service affiliate group is refining a playbook that abuses hybrid trust. After gaining initial access, they escalate to Domain Admin, perform DCSync to steal credentials, and pivot to compromise Microsoft Entra Connect servers. They then identify and take over a non-human synced identity with Global Admin privileges (often lacking MFA) to gain control of the Entra ID tenant, register a malicious federated domain for persistence, and proceed with mass data exfiltration, resource deletion, and extortion.

3. Novel Financial Fraud Techniques

Attackers are leveraging legitimate tools and complex socio-technical operations to orchestrate large-scale financial fraud that bypasses traditional security controls.

• Ghost Tap NFC Relay Attacks: This scheme exploits the NFCGate research application to create a real-time relay between a stolen credit card in one location and a “money mule” making a contactless payment in another. The attack bypasses fraud detection by using legitimate, cryptographically verified payment tokens through Apple Pay or Google Pay, making transactions appear genuine despite the geographic impossibility.

Proactive Steps for the Week

Patch and Isolate Critical Systems Immediately:

• Citrix NetScaler: Immediately apply the official patches for CVE-2025-7775. If using end-of-life versions, prioritize migration to a supported release. Assume internet-facing instances are already targeted.
• Docker Desktop: Upgrade all Windows and macOS installations to version 4.44.3 without delay. Audit containers for suspicious activity and restrict network access to the Docker API.
• FreePBX: Apply the provided EDGE module fix immediately. If unable to patch, instantly block all internet access to the Administrator Control Panel (ACP) via firewall rules until a full security update is applied.

Harden Identity and Access Management:

• Enforce MFA Universally: Mandate phishing-resistant MFA for all user and non-human identities, especially those with high privileges like Global Administrator. Eliminate SMS OTP as a sole factor for critical access.
• Secure Entra Connect: Upgrade Entra Connect servers to v2.5.3.0 and enable Modern Authentication. Enable TPM on these servers to protect stored credentials and strictly monitor them for anomalous activity.
• Implement Least Privilege: Conduct an urgent audit of synced identities and Global Administrator roles. Use Privileged Identity Management (PIM) for just-in-time access and drastically reduce standing privileges.

Enhance Monitoring and Fraud Detection:

• Monitor for Impossible Travel: Financial institutions must implement and tune systems that detect geographically impossible transactions, a key indicator of NFC relay attacks like Ghost Tap.
• Audit Cloud Tenants: Continuously monitor Entra ID/Azure AD for suspicious changes, including new federated domains, application registrations, and sudden privilege escalations.
• Segment and Restrict: Network segmentation is critical. Ensure critical management interfaces (Citrix, FreePBX ACP, Docker APIs) are not exposed directly to the internet and are only accessible from trusted, segmented networks.