216.73.217.22

Mass Scanning and Exploit Campaigns

· Published 16/05/2025 08:51 · Modified 21/05/2025 21:05

Export JSON

Essential information

Published
16/05/2025 08:51
Modified
21/05/2025 21:05
Tags
2025-05-16 CVE-2024-10914 CVE-2024-41713 CVE-2024-55591 CVE-2025-0108 CVE-2025-24472 bulletproof hosting critical vulnerabilities exploit campaigns mass scanning ransomware superblack underground forums vulnerability exploitation
Related entities
5 vulnerabilities (cve), 22 observables, 1 intrusion sets (apt), 11 techniques (mitre), 1 malware, 6 others

Description

Trustwave SpiderLabs has identified ongoing malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns. The investigation revealed connections between Proton66 and services advertised on . and targeting multiple sectors were observed, with technology and financial organizations being the most common targets. A specific IP address linked to operators was found distributing critical exploits. The analysis also uncovered a potential rebranding of underground hosting services and shifts in IP addresses between different ASNs, suggesting relationships between providers.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (5)

CVE-2025-0108 KEV
9.1 Critical

An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface …

Attack vector
Network
Published
18/02/2025
Modified
21/12/2025
Modified
CVE-2025-24472 KEV
8.1 High

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 …

Attack vector
Network
Published
18/03/2025
Modified
21/12/2025
Awaiting Analysis
CVE-2024-55591 KEV
9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector
Network
Published
14/01/2025
Modified
27/05/2026
Analyzed
CVE-2024-10914
8.1 High

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by …

Attack vector
NETWORK
Published
06/11/2024
Modified
21/12/2025
Modified
CVE-2024-41713 KEV
9.1 Critical

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker …

Attack vector
Network
Published
07/01/2025
Modified
21/12/2025
Awaiting Analysis

Observables (22)

  • 91.212.166.62
  • 91.212.166.60
  • 91.212.166.27
  • 45.135.232.24
  • 45.135.232.171
  • 45.135.232.174
  • 45.135.232.103
  • 45.135.232.108
  • 45.134.26.8
  • 45.134.26.199
  • 45.134.26.104
  • 193.143.1.78
  • 193.143.1.64
  • 45.140.17.98
  • 45.134.26.81
  • 45.134.26.80
  • 45.134.26.38
  • 45.134.26.124
  • 45.140.17.21
  • 193.143.1.65
  • 91.212.166.65
  • 193.143.1.33

Intrusion sets (APT) (1)

  • Proton66
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:38 · Modified 21/12/2025 13:38

Techniques (MITRE) (11)

  • T1490
    Inhibit System Recovery
  • T1567
    Exfiltration Over Web Service
  • T1005
    Data from Local System
  • T1486
    Data Encrypted for Impact
  • T1082
    System Information Discovery
  • T1083
    File and Directory Discovery
  • T1595
    Active Scanning
  • T1566
    Phishing
  • T1190
    Exploit Public-Facing Application
  • T1133
    External Remote Services
  • T1078
    Valid Accounts

Malware (1)

  • SuperBlack
    Family
    Published 16/05/2025 08:51 · Modified 16/05/2025 08:51

Others (6)

  • Retail
  • Technology
  • Healthcare
  • Finance
  • Government
  • Manufacturing

External references