Quest Security and Service Advisories

Security Advisory: Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware (5/23):

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.

Release Date: May 21, 2025

Alert Code: AA25-141B

Advisory details

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.

Security Advisory: Malicious KeePass Campaign Identified (5/20):

Quest is issuing a critical security advisory regarding a malicious campaign involving trojanized versions of the KeePass password manager.

Summary of Threat:

Threat actors have been distributing compromised versions of KeePass for at least eight months. These versions, dubbed KeeLoader, are built from altered open-source KeePass code and retain full password management functionality. The compromised versions of KeePass are embedded with malicious components that install Cobalt Strike beacons for remote access, export KeePass password databases in cleartext, and enable credential theft and ransomware deployment.

For more details, you can read the full report here.

Recommended Actions:

• Only download KeePass and other sensitive software from official sources.
• Avoid clicking on advertisements, even if they appear to link to legitimate URLs. Threat actors have demonstrated the ability to spoof URLs in ads to redirect users to malicious sites.
• Verify digital signatures and checksums where possible before installing software.

We urge all users to remain vigilant and review any recent KeePass installations for signs of compromise.

Security Advisory: Threat Actors Breach and Spread in Under an Hour - Auto-Containment (4/30):

Quest is issuing this urgent security alert to highlight a critical and rapidly growing threat we have observed in the field. Threat actors are breaching and spreading through systems faster than ever, with the average breakout time dropping from over an hour in 2022 and 2023 to under 48 minutes today—and in some cases, less than 1 minute. A significant number of these attacks occur on weekends or after business hours, leaving organizations vulnerable during off-peak times.

Call to Action:

• Review and Enable Auto-Containment:
  • Auto-containment for endpoint protection is critical but often not enabled by default on most security tools.
  • Assess its availability and discuss the need for enablement within your organization.
• Utilize Advanced Cybersecurity Tools:
  • Consider tools that automatically contain threats based on device or user behavior to improve response times and limit damage.

Why This Matters:

Today’s cybercriminals move quickly after gaining access, making lateral movement from one system to the next before teams even detect their presence. This can lead to severe consequences, including:

1. Ransomware spreading across servers within hours.
2. Stolen credentials used for privilege escalation.
3. Sensitive data stolen before any alerts are triggered.

Real-World Example:

A midsize financial firm fell victim to a phishing attack. Without endpoint isolation, the attacker compromised a single device and spread to encrypt most of the network within 90 minutes. The result? Ransom demands and several days of costly downtime.

What the Experts Say:

• CISA Guidance: Immediate containment is crucial to reducing damage during cyber incidents.
  • CISA Incident Response Plan Guide
• CrowdStrike Findings: China-related hacking activities have reached a critical "inflection point."
  • CrowdStrike: China hacking has reached 'inflection point' | TechTarget

What This Means For You:

• If You Have Auto-Containment:
  • Ensure it is enabled immediately.
  • Activate your incident response plan promptly in the event of a suspected threat.
• If You Don’t Have Auto-Containment:
  • You’re at increased risk of delayed containment, greater damage from fast-moving threats, and extended recovery times. Consider upgrading to a solution that includes automated threat containment.

Contact our team if you’d like to review your current setup, and we’ll arrange a call.

Security Advisory: Critical Update Required for Microsoft Entra Connect Sync (4/24):

Microsoft has announced a critical update affecting Microsoft Entra Connect Sync, the tool used to synchronize on-premises Active Directory with Microsoft Entra ID (Azure AD). Unless environments are updated before April 30, 2025, key functions within the tool will cease to operate.

Link to source(s):

Microsoft Entra Connect Sync Update

If your environment is using Microsoft Entra Connect Sync (formerly Azure AD Connect) with a version lower than v2.4.18.0, your environment will be impacted. While core synchronization will continue, the ability to manage or reconfigure the sync tool will be significantly degraded.

If you have any questions about how this may affect your environment or how Quest can assist, please reach out to our team. We’re here to help.

Security Advisory: Fortinet Post-Exploitation Technique for Known Vulnerabilities (4/11):

Quest has been notified of a Fortinet advisory regarding a new post-exploitation technique for known vulnerabilities. Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet RCE vulnerabilities within FortiOS and FortiGate products. This malicious file could enable read-only access to files on the device’s file system, which may include configurations.

Link to source(s):

Analysis of Threat Actor Activity | Fortinet Blog

Recommended Steps to Execute in Case of a Compromised Host

Recommendation:

• Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 to remove the malicious file and prevent re-compromise.
• Review the configuration of all devices.
• Reset potentially exposed credentials.

If you need assistance with reviewing, upgrading, or resetting credentials for FortiOS and FortiGate products, or if you would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.

Security Advisory: Stay Alert – Phishing Attacks Are Becoming More Believable (3/26):

Cybercriminals are making phishing attacks more convincing by mimicking emails you expect to receive. These fraudulent messages often appear to come from trusted sources, such as:

• Internal departments (HR, IT, Finance)
• Popular services (Microsoft, Google, Amazon)
• Known colleagues or vendors

They frequently create a sense of urgency, prompting actions like updating passwords, entering credentials to view a shared file link, confirming payments, or opening an important document attachment. Clicking on a malicious link or attachment is a common tactic used to gain initial access, which can result in credential theft, ransomware, or data breaches.

Quest is assisting customers in implementing configurations and features to defend against phishing and unauthorized access. These measures include:

Technical Defenses

• Configuring email filtering
• Enabling audit logs and alerts for unusual activity
• Utilizing phishing-resistant multifactor authentication (MFA)
• Enforcing DMARC, DKIM, and SPF protocols
• Restricting file-sharing permissions
• Implementing data loss prevention (DLP) measures

Establishing a Response Plan

• Developing an incident response plan
• Conducting tabletop exercises
• Running phishing simulations

Stay vigilant and think before you click. Please contact us if you'd like to schedule a meeting to review your defenses.

Security Advisory: Critical Vulnerabilities in Veeam Backup and Replication Products (3/19):

Quest has been notified of a security advisory addressing critical vulnerabilities in Veeam Backup and Replication products. Veeam has urgently patched a critical security vulnerability that could allow unauthenticated users to perform privilege escalation exploits on impacted products, as listed in their Security Advisory.

Vendor: Veeam

CVE(s): CVE-2025-23120

CVSS: 9.9 Critical

Exploited in the wild: Unknown

Impacted Products: Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds.

Description: A vulnerability allowing remote code execution (RCE) by authenticated domain users.

Impact: An unauthenticated attacker could initiate a remote code execution, leading to unauthorized access to the backup server.

Note: This vulnerability only impacts domain-joined backup servers, which is against the Security & Compliance Best Practices.

Link to source(s): https://www.veeam.com/kb4649

IOC Available: No

Recommendation: Review applicability, apply the update released by Veeam as soon as possible, and continue to follow Veeam Security Best Practices.

If you need assistance with reviewing and patching impacted Veeam Backup and Replication products, or if you would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.

Security Advisory: Action Required – Review Disaster Recovery Plans for Azure Services (3/18):

The Quest team is strongly advising clients to review their disaster recovery plans. Relying solely on hyperscalers (AWS, Azure, Google, etc.) or Software as a Service (SaaS) vendors may not provide sufficient recovery capabilities, particularly in the event of a ransomware attack. Starting March 31, 2025, Azure will discontinue automatic disaster recovery for App Service web applications. This change means that in the event of a regional outage, applications will no longer fail over automatically to another region.

To improve your resilience, we strongly recommend evaluating your ability to recover in the event of a ransomware incident. Implementing ransomware-proof solutions can save your organization millions of dollars and reduce significant recovery times.

If you’d like to discuss or review your current disaster recovery plans, please contact us. We’re reaching out as a security advisor because we’ve seen many clients caught off guard by ransomware threats, resulting in avoidable disruptions.

Security Advisory: Critical Vulnerabilities in Broadcom VMware Products (3/4):

Quest has been notified of a security advisory addressing critical vulnerabilities in Broadcom VMware products. Broadcom has urgently patched a critical security vulnerability that could allow unauthenticated users to perform privilege escalation exploits on impacted products listed in their Security Advisory.

Vendor: Broadcom/VMware

CVE(s): CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

CVSS: 9.3-7.1 Critical

Currently Exploited in the wild: Yes

Description: Multiple vulnerabilities in VMware ESXi and Workstation include a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write.

Impact: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Workarounds / Mitigations: None

Link to source(s): Broadcom Security Advisory

IOC Available: No

Recommendation: Review applicability and apply the update released by Broadcom as soon as possible.

Need help mitigating an attack?

Contact Quest’s 24/7 Incident Response Team

Hotline: 800-443-5605 | Email: We will immediately contact you, assess your situation, and deploy our Incident Response Team.