VPN

Blogs

Identity Based Attacks, the Growing Risk; How do Orgs’ Navigate

In 2025 identity based attacks have surged up and research reveals how identity based attacks  have affected  identities, endpoints and cloud assets over 4 million past year as reported by threat detection report 2025 by  Red Canary.

As organizations grow and continue to harness technology, identity based attacks grow to and risk associated with them. And this brings us to understand he urgent need for strong identity protection as adversaries explore new techniques.

The Threat landscape is vast and have variety to support the attack includes evolving ransomware tactics, supply chain weaponization and attacks on non-human identities.

In this blog we take a look at what rate identity based attacks are growing and what is required to strengthen organizational strategies for resilience.

Of late the type of attacks that are taking center stage are Social engineering based attacks that has gained popularity as per CrowdStrike report.

Voice phishing (vishing) attacks surged by 442% between the first and second half of 2024 as groups like CURLY SPIDER trick employees into handing over login details.

Those who don’t steal credentials can buy them — access broker activity was up nearly 50% in 2024, reflecting the growing market for illicit access.

Further, more than half (52%) of observed vulnerabilities in 2024 were tied to initial access.

The weakest link in Identity threats

With the usage of cloud most of the enterprises are shifting workload to cloud or hybrid cloud environment and now cloud infrastructure remains one of the points where frequency of attack has increased to achieve initial access.

This also includes increases in  macOS threats, info stealers and business email compromise. VPN based abuse is hard to detect so a easy gateway for criminals to launch ransomware based attacks and these products are actually leveraging identity based attacks including insider threats.

Threat researchers from Sygnia have noticed misconfigured Identity and Access Management (IAM) policies are one of the biggest culprits in creating openings for lateral movement and privilege escalation by attackers.

Popular social media websites and apps are breeding grounds for identity based attack that started from social engineering tactics being deployed by state sponsored threat groups to deliver their harmful intentions.

Example: Hackers gained access to Microsoft 365 tenant and authenticated against Entra ID using captured session tokens. This technique not only bypassed multi-factor authentication (MFA), but also circumvented other security controls that were in place.

AWS access keys were discovered on the compromised devices as well, giving the attackers two ways into the AWS environment—through direct API access and the web console via compromised Entra ID users.

Now business are looking to move beyond passwords and weak MFA. Passkeys, Biometric authentication, Risk-based access, and Continuous identity verification will become non-negotiable.

Bolstering organizations identity governance, adopting zero trust principles and participating in identity-focused red team assessments will be the need of the hour.

What can security leaders do to Stay Ahead of Identity-Based Attacks in 2025?

Passwords aren’t enough these day nor are MFA as attackers are advanced in techniques and wont wait to break authentication when they can bypass, manipulate, or socially engineer their way in.

  • Go passwordless: FIDO2, Passkeys, Biometrics are not required or eliminate them
  • Enforce phishing-resistant authentication: No SMS, no email-based resets, no security questions.
  • Implement real-time identity monitoring: Spot privilege escalations before attackers use them.
  • Require device trust: If a device isn’t secure you are not secured.

Organizations can stay ahead of this growing threat by leveraging GaarudNode which seamlessly integrate to detect and mitigate exposed credentials in real time. 

GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
GaarudNode Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
Detects third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.


Do connect or DM for queries

Source: https://www.crowdstrike.com/en-us/blog/how-to-navigate-2025-identity-threat-landscape/

Security Advisory

Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities 

SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

The flaw, identified as CVE-2024-53704, poses a significant security risk, allowing attackers to exploit the system remotely. Administrators are strongly encouraged to update their systems immediately to mitigate potential threats. SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

Key Details:

  • The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems.
  • It impacts SonicWall’s SSL-VPN products, widely used for secure remote access.
  • Exploitation of this bug could lead to severe consequences, including unauthorized access to sensitive data, network infiltration, and system compromise.

Summary 

OEM SonicWall 
Severity High 
CVSS 8.2 
CVEs CVE-2024-53704 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The security flaw, tracked as CVE-2024-53704, presents a serious risk, enabling remote exploitation by attackers. Administrators are highly advised to apply the necessary patches without delay to protect against potential threats.  

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Improper Authentication CVE-2024-53704 SonicWall  High 7.1.x (7.1.1-7058 and older), 7.1.2-7019 
8.0.0-8035 
A privilege escalation vulnerability CVE-2024-53706 SonicWall High  7.1.x (7.1.1-7058 and older), 7.1.2-7019 
A weakness in the SSLVPN authentication token generator CVE-2024-40762 SonicWall High  7.1.x (7.1.1-7058 and older), 7.1.2-7019 
A server-side request forgery (SSRF) vulnerability CVE-2024-53705 SonicWall Medium 6.5.4.15-117n and older 
7.0.x (7.0.1-5161 and older) 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2024-53704  Gen7 Firewalls, Gen7 NSv, TZ80 An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.  Bypass authentication 
 CVE-2024-53706  Gen7 Cloud Platform NSv A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution.  Allow attackers to gain root privileges and potentially execute code. 
  CVE-2024-40762  Gen7 Firewalls, Gen7 NSv, TZ80 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. Weak PRNG in authentication tokens can lead to authentication bypass in SSLVPN. 
 CVE-2024-53705  Gen6 Hardware Firewalls, Gen7 Firewalls, Gen7 NSv A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. Allow attackers to establish TCP connections to arbitrary IP addresses and ports 

Remediation

  • Update: Impacted users are recommended to upgrade to the following versions to address the security risk: 
 Firewalls Versions Fixes and Releases 
Gen 6 / 6.5 hardware firewalls SonicOS 6.5.5.1-6n or newer 
Gen 6 / 6.5 NSv firewalls SonicOS 6.5.4.v-21s-RC2457 or newer 
Gen 7 firewalls SonicOS 7.0.1-5165 or newer; 7.1.3-7015 and higher 
TZ80: SonicOS SonicOS 8.0.0-8037 or newer 

Recommendations: 

  • Patch Without Delay: Install the latest firmware update from SonicWall to resolve this vulnerability. Detailed instructions are available in SonicWall’s official advisory. 
  • Monitor Network Activity: Regularly monitor network traffic for signs of suspicious or unauthorized access. 
  • Limit Access: Restrict VPN access to trusted users and enforce Multi-Factor Authentication (MFA) for all accounts. 
  • Stay Updated: Subscribe to SonicWall’s security alerts and updates to stay informed about upcoming vulnerabilities. 

References: 

Security Advisory

Ivanti Connect Secure VPN Actively Being Exploited in the Wild 

Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.

As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.

Summary 

OEM Ivanti  
Severity Critical 
CVSS 9.0 
CVEs CVE-2025-0282, CVE-2025-0283  
Exploited in Wild  Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another  Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Stack-Based Buffer Overflow Vulnerability  CVE-2025-0282 Ivanti Critical 22.7R2 through 22.7R2.4  22.7R1 through 22.7R1.2  22.7R2 through 22.7R2.3  
Stack-Based Buffer Overflow Vulnerability CVE-2025-0283  Ivanti High 22.7R2.4 and prior 9.1R18.9 and prior  22.7R1.2 and prior 22.7R2.3 and prior  

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-0282  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.  RCE, System compromise, Data theft, Network breaches, and Service disruptions.  
CVE-2025-0283  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges Allow Local Authenticated Attackers to Escalate Privileges. 

Remediation

  • Ensure that the appropriate patches or updates are applied to the relevant Ivanti 
  • Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.

versions as listed below: 

Affected Version(s) Fixes and Releases 
22.7R2 through 22.7R2.4  22.7R2.5  
22.7R2.4 and prior,  9.1R18.9 and prior  22.7R2.5  
22.7R2 through 22.7R2.3  22.7R2.5, Patch planned availability Jan. 21  
22.7R2.3 and prior  22.7R2.5, Patch planned availability Jan. 21  
22.7R1 through 22.7R1.2  Patch planned availability Jan. 21  
22.7R1.2 and prior  Patch planned availability Jan. 21  
  • Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security. 
  • Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools. 
  • Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025. 
  • Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025. 

General Recommendation 

  • Regularly update software and systems to address known vulnerabilities. 
  • Implement continuous monitoring to identify any unauthorized access or suspicious activities. 
  • Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces. 
  • Create and Maintain an incident response plan to quickly mitigate the impact of any security breach. 

References: 

Scroll to top