The cyber domain has emerged as a pivotal battlefield in the intensifying confrontation between Israel and Iran. No longer confined to silent cyber-espionage, this conflict now spans precision cyber strikes, infrastructure sabotage, psychological operations, and narrative warfare driven by AI-generated disinformation. From the takedown of critical banking systems to symbolic defacements and cross-border cyber leaks, both state actors and hacktivist groups are actively shaping a volatile threat landscape.

But the cyber fallout is not isolated to the Middle East. The United States, due to its strategic alliances, critical infrastructure, and role in global cyber governance, is increasingly in the crosshairs. U.S. federal agencies, defense systems, utilities, and corporate networks face growing risks from Iranian-linked threat actors, either as direct retaliation or through collateral damage from supply chain exposures and shared cloud infrastructure.

Recent advisories from CISA and DHS underscore the concern: Iranian APTs and ideologically motivated hacktivists are probing for weaknesses, weaponizing psychological operations, and exploiting unpatched systems. Disinformation campaigns, some of which are generated by AI, are targeting the U.S. public and media, aiming to manipulate narratives and erode trust during geopolitical flashpoints.

As cyber operations become more autonomous, scalable, and integrated with kinetic warfare, the U.S. must reckon with a multipolar threat environment. This report analyzes the technical, strategic, and operational dynamics of the Israel–Iran cyber war, examines the trajectories of hacktivist and disinformation activity, and outlines the clear and present implications for U.S. national security, critical infrastructure, and private sector resilience.

### Israel-Iran ceasefire June 24 update ###

While diplomatic channels have successfully negotiated a ceasefire between Israel and Iran in the physical domain, the cyber battlefield shows no signs of de-escalation. Unlike conventional military operations that can be halted by diplomatic agreements, cyber operations persist in the shadows: unacknowledged, deniable, and continuing at full intensity. Intelligence sources indicate that both state-sponsored APT groups and ideologically motivated hacktivist collectives view the ceasefire as irrelevant to their operations. 

In fact, some analysts suggest cyber activities may intensify as both nations seek to gain strategic advantages while constrained from kinetic action. The nature of hacktivist groups and their future, as we expect it, will be escalated actions even as missiles remain grounded. For US companies, this creates a paradoxical situation: while headlines may suggest reduced tensions, the cyber threat level remains at critical, with Iranian-affiliated actors redirecting resources from physical to digital operations. 

National Terrorism Advisory System Bulletin 

DHS issued this “heightened threat” NTAS bulletin in response to escalating Israel–Iran hostilities, including U.S. airstrikes targeting Iranian nuclear sites. This alert, valid through September 22, 2025, outlines risks to the homeland. We can see ongoing attack attempts and the need to pull off a successful cyberattack.

Key U.S. threat components

• Pro-Iranian hacktivists are likely to launch low-level cyberattacks against U.S. networks.
• Iranian government-affiliated actors may conduct more sophisticated cyber intrusions.
• U.S. officials previously linked to the killing of Iranian commanders (e.g., January 2020 drone strike) remain potential targets.
• Religious edicts or “fatwas” from Iranian leadership could spur lone actors to violence.
• Anti‑Semitic and anti‑Israel ideology could fuel hate crimes, particularly against Jewish communities or pro-Israel targets.
• FTOs like Hamas, Hezbollah, Houthis, and PFLP have publicly called for attacks onthe  U.S. 

DHS Issues National Terrorism Advisory System Bulletin Amid Israel-Iran Conflict

Advisory & mitigation measures

• The bulletin notes no credible, specific threats to U.S. territory yet
• DHS encourages reporting suspicious behavior through networks like CISA, NSI, local law enforcement, the FBI, and the Fusion Centers
• CISA provides updated cybersecurity practices to secure U.S. government and private sector networks.
• Citizens urged to use “If You See Something, Say Something®” to report online or physical threats.

National Terrorism Advisory by DHS:  National Terrorism Advisory System Bulletin – Issued June 22, 2025

Threat Landscape Observation

Our Cyber Threat Intelligence (CTI) team is actively monitoring the evolving cyber threat landscape resulting from the Israel–Iran conflict, with a particular focus on its implications for U.S. companies. This ongoing analysis is focused on identifying potential risks and impacts to Guardz customers and partners.

June 2025 Update: Hacktivist Activity Escalation

The ongoing geopolitical conflict has triggered a significant uptick in cyber operations, particularly from ideologically motivated hacktivist groups. As of June 2025, we have identified over 120 active hacktivist groups engaged in cyber campaigns linked to the Israel–Iran war.

Notably, nine pro-Russian hacktivist groups have aligned themselves in support of Iran. Among them, Noname057(16) has taken a leading role, conducting coordinated DDoS attacks against Israeli infrastructure and digital services.

Despite the rise in activity, internal disputes among hacktivist factions and regional internet disruptions, particularly in parts of Iran, are contributing to temporary fluctuations in attack volume and consistency.

Geopolitical Spillover: Cross-Border Targeting Patterns

The impact of this cyber conflict has extended well beyond Israel and Iran, affecting multiple countries through targeted campaigns:

Note: The following groups are only part of the complete list. 

United States

Targets include:

• Arabian Ghosts
• Unknowns Cyber Team
• DieNet
• Elite Squad
• Mr Hamza
• Moroccan Black Cyber Army
• Mysterious Team Bangladesh

Following the United States military strikes on Iran, a few more hacktivist groups have openly declared intent to target U.S. digital infrastructure. These declarations mark a strategic escalation, signaling that the cyber retaliation phase is no longer limited to Israeli assets.

These actors, previously active in attacks on Israeli and European systems, are now pivoting toward American entities. Their known capabilities include:

• Coordinated DDoS campaigns against government and financial services
• Credential stuffing and data leaks against public sector platforms
• Disinformation operations through social engineering and Telegram-based leaks

These groups operate with ideological alignment to Iran’s cyber doctrine, and some share toolkits and IOCs with APT-affiliated operations.

Guardz ITDR in Action

Since the beginning of June, our Cyber Threat Intelligence (CTI) has significantly intensified its monitoring operations in response to rising geopolitical tensions and the corresponding increase in coordinated threat actor activity. This surge, fueled by the Israel–Iran conflict, has broadened its scope beyond regional interests, introducing new risks to U.S.-based organizations and infrastructure.

This enhanced monitoring is layered on top of our existing telemetry-driven detection framework, which continuously profiles customer environments to identify deviations from established baselines. Behavioral anomalies, irregular authentication patterns, unusual process executions, and suspicious external communications are flagged in real time and correlated against threat intelligence feeds, IOCs, and TTPs from both open-source and classified sources.

Our approach ensures we maintain visibility not only into direct attacks but also into emerging threats that may impact customer environments indirectly via shared cloud services, vendor infrastructure, or third-party software dependencies. This posture allows us to respond with high agility to any indication of adversarial activity, whether it originates from APT groups, coordinated hacktivist collectives, or opportunistic cybercriminals attempting to exploit the geopolitical chaos.

To date, we have observed a high volume of attempted access originating from known malicious sources. However, no successful compromises or unauthorized access have been identified.

Below are some of the attempts, Iran’s infrastructure, and the results. 

• 180+ coordinated attack attempts from Iranian infrastructure
• Hundreds of unique Iranian malicious IPs with AbuseIPDB scores of 30 and higher
• Primary focus on the US, but also European and Australian entities

US TARGETS – Primary Focus

Status: Critical Threat Confirmed 

• 163 total distinct attack attempts against US entities
• 49 unique US organizations targeted
• Target Sectors:

• US Commercial
• US Organizations
• US Networks
• US Education

Canadian Target – Secondary Focus

• 11 total distinct attack attempts against Canadian entities
• 8 unique Canadian organizations targeted
• Targeted Canadian Entities: Pinnacle Networks, Pinnacle Office, Benefits Alliance

Europe Targets – Threat Activity 

• 117 total distinct attack attempts against EU entities
• 42 unique EU organizations targeted
• 71 distinct Iranian attack IPs deployed

Australian Targets – Threat Activity 

• 173 total distinct attack attempts against AU entities
• 71 unique AU organizations targeted
• 126 distinct Iranian attack IPs deployed

Tactical Analysis

The observed threat activity reflects a structured and persistent credential abuse campaign, with indicators suggesting links to Iranian-aligned threat actors or proxy groups operating infrastructure in support of state objectives.

The frequent appearance of locked accounts indicates a deliberate account lockout strategy, likely designed to perform user enumeration by provoking lockout conditions across known or guessed usernames. This technique allows threat actors to validate the existence of accounts and map tenant user surfaces with high confidence.

The presence of incorrect credentials further supports a pattern of password spraying and brute-force testing. The attackers appear to rotate between usernames and low-complexity passwords, triggering both invalid credential responses and smart lockouts, which suggests automation is behind the attempts.

Moreover, the recurrence of the same IP addresses across a 20+ day window is often linked to multiple account targets. It demonstrates persistent infrastructure reuse, strongly implying coordinated campaigns rather than opportunistic scanning. This level of consistency indicates that adversaries are leveraging stable, likely compromised, or proxy-based infrastructure to maintain access and continuously probe identity surfaces without detection.

This behavior aligns with TTPs commonly observed in pre-breach recon and access phases used by APTs and credential-focused threat groups targeting cloud identity systems.

Summary

The cyber conflict between Iran and Israel has intensified into a sustained campaign of offensive operations that extend far beyond traditional espionage. What began as targeted cyber intrusions has evolved into massive attempts on critical infrastructure, coordinated disinformation campaigns, and widespread hacktivism involving over 120 groups, many of which are ideologically or politically aligned with Iranian interests. 

Following U.S. military actions and its continued alliance with Israel, several pro-Iranian hacktivist groups have declared the United States a legitimate target. These groups are launching cyber campaigns against U.S. government networks, private sector organizations, and critical infrastructure operators. Attacks range from denial-of-service operations and defacements to data exfiltration and social engineering, all intended to create disruption, instill fear, and demonstrate cyber reach.

Compounding the threat is the use of AI-generated content to fuel psychological operations and disinformation across social media platforms. These influence campaigns aim to manipulate public perception, amplify divisions, and erode trust in institutions during periods of geopolitical crisis.

The risks are not limited to direct attacks. U.S. organizations with supply chain dependencies, cloud hosted services, or partnerships with Israeli entities may experience collateral impact or become vectors for exploitation. The DHS and CISA have issued multiple advisories urging enhanced vigilance, accelerated patching, and proactive monitoring. As the cyber and kinetic dimensions of this conflict continue to converge, the United States faces a persistent and evolving threat landscape shaped by state actors, hacktivist coalitions, and information warfare tactics.

Introduction

On July 18, 2025, CrushFTP, a leading provider of managed file transfer (MFT) software, disclosed a critical zero-day vulnerability, CVE-2025-54309. This vulnerability exposes a glaring weakness in the AS2 validation mechanism of its web management interface. With a CVSS score of 9.8, the flaw enables remote, unauthenticated attackers to gain complete administrative control over affected CrushFTP servers.

This post offers a detailed, technical walkthrough of the vulnerability, its exploitation, real-world impact, and recommended defensive measures. Drawing from vendor advisories, Shodan scans, and independent research, this analysis provides a full-spectrum view necessary for security teams to act decisively.

CrushFTP and Its Role in Managed File Transfer

CrushFTP is a widely used file transfer platform that supports multiple protocols, including HTTP(S), FTP, and AS2. Organizations utilize it for secure and reliable data exchange, often within complex supply chains or between business partners.

• Why CrushFTP? It combines ease of deployment with flexible protocol support, making it popular in enterprise environments.
• AS2 Protocol Support: AS2 is essential for Electronic Data Interchange (EDI), a widely used technology in industries such as retail, logistics, and manufacturing.
• Attack Surface: The web management interface offers rich functionality but also creates a significant attack surface if not properly secured.

Vulnerability Breakdown: Understanding CVE-2025-54309

Description

CVE-2025-54309 arises from improper AS2 validation within the CrushFTP web interface when the DMZ proxy feature is disabled. This flaw allows attackers to send crafted HTTPS requests that bypass authentication and gain administrative privileges.

Attackers are likely to have reverse-engineered recent code changes, exploiting a previously patched but overlooked bug in the AS2 message processing logic.

The critical vulnerability CVE-2025-54309 in CrushFTP centers on a flaw in how the software processes AS2 protocol messages within its web management interface, particularly when the DMZ proxy feature is disabled. To fully appreciate the severity of this issue, it is essential to understand both the protocol involved and the nature of the validation failure.

AS2 Protocol and Its Importance

AS2 (Applicability Statement 2) is a widely adopted standard for secure and reliable electronic data interchange (EDI) over HTTP and HTTPS. It ensures message integrity, confidentiality, and non-repudiation by leveraging digital signatures, encryption, and delivery receipts. Many enterprises rely on AS2 for critical business communications, placing a premium on robust and accurate protocol handling.

The core issue with the improper AS2 validation

CVE-2025-54309 stems from improper validation of incoming AS2 messages. Typically, these messages undergo rigorous checks to verify headers, MIME boundaries, digital signatures, and certificate trust. However, when the DMZ proxy feature in CrushFTP is disabled, this protective layer is bypassed, forcing the server to rely on its internal AS2 validation logic.

Due to a flaw in this internal processing, the server incorrectly accepts crafted AS2 requests without enforcing necessary authentication and integrity checks. This creates an unprotected alternate channel allowing remote attackers to gain unauthorized administrative access simply by sending specially crafted HTTPS requests.

Why This Flaw Is Particularly Dangerous

This vulnerability is not a typical authentication bypass. Instead, it exposes a deep protocol parsing weakness at the intersection of cryptographic verification and session management. Attackers exploiting this flaw gain full administrative privileges without prior authentication, which is an exceptionally rare and highly impactful vulnerability.

Moreover, the attack leverages HTTPS, blending seamlessly with legitimate encrypted traffic. As a result, traditional security controls such as network-based intrusion detection and simple application logs may fail to flag this malicious activity.

The Critical Role of the DMZ Proxy

The DMZ proxy feature serves as a gatekeeper for AS2 messages, validating their authenticity and integrity before forwarding them to the internal server. When enabled, it effectively mitigates this vulnerability by enforcing strict protocol compliance and blocking malformed or malicious messages.

Disabling the DMZ proxy removes this safeguard, leaving the backend server exposed to unfiltered AS2 traffic. The flaw in the internal validation logic then becomes exploitable, providing a direct pathway for attackers to exploit.

Exploitable Attack Surface

The flaw exposes several critical attack vectors, including:

• Remote, unauthenticated access to administrative functions.
• Exploitation through standard HTTPS channels makes detection difficult.
• Bypassing of session and CSRF protections within the web management interface.
• Creation of persistent, stealthy accounts through manipulation of user identifiers.

Attack Mechanics: How the Exploit Works

Exploitation Steps in a nutshell

Crafting Malicious AS2 Messages: Attackers generate AS2 messages with manipulated headers and payloads to bypass authentication.

Bypassing Authentication: These crafted requests exploit the alternate channel flaw to establish a remote, authenticated administrative session.

Gaining Full Admin Control:  Once authenticated, attackers can create or modify user accounts, upload or download files, and manipulate server configurations.

Maintaining Persistence: Attackers may create long, random user IDs (e.g., 7a0d26089ac528941bf8cb998d97f408m) for stealth persistence.

Indicators of Compromise

• Unauthorized updates to the internal default user account, specifically “last_logins” field changes inside MainUsers/default/user.XML.
• File modification timestamps for the default user.XML is inconsistent with regular maintenance.
• Appearance of unusual user accounts with random alphanumeric IDs.

Challenges in Detection

• AS2 traffic complexity masks malicious payloads.
• Many environments lack dedicated AS2 traffic inspection.
• An attack typically leaves minimal network-level forensic traces, aside from application logs.

Impact, What’s at Stake?

Business Risk

• Data Loss: Exfiltration of sensitive or regulated information.
• Operational Downtime: Service interruption due to malicious tampering or recovery efforts.
• Compliance Violations: Exposure of Personally Identifiable Information (PII) or Intellectual Property (IP).
• Reputational Damage: Breach of trust with customers and partners.

Technical Risk

• Complete server control facilitates pivoting into internal networks.
• Attackers can implant ransomware or backdoors.
• Potential disruption of critical EDI communications.

Global Exposure 

Shodan Exposure Data

• Over 300,000 publicly accessible CrushFTP web interfaces globally.
• Largest concentrations in the United States (~46,000), India (~20,000), Australia (~19,000), Japan (~18,000), and the UK (~11,000).

Exploitation in the Wild

• Confirmed active exploitation since July 18, 2025.
• Approximately 1,040 unpatched, internet-facing servers remain vulnerable, primarily located in North America and Europe.
• Attackers adapted quickly following prior AS2 fixes, indicating the presence of targeted and persistent threat actors.

ShadowServer scanning for unpatched CrushFTP instances vulnerable to CVE-2025-54309. 

Mitigation Strategies

Patching

• Patch Immediately Upgrade to CrushFTP 10.8.5_12 or 11.3.4_23 (or later). This fully fixes the AS2 validation flaw.
• Restrict Admin Access Use IP allow-lists, VPNs, or Zero Trust to limit access to the admin interface. Never expose it directly to the internet.
• Verify Integrity Check file hashes, especially MainUsers/default/user.XML. Look for unauthorized changes or newly created admin accounts.
• Disable or Isolate AS2 if you don’t use AS2, disable it. Otherwise, route AS2 traffic through a DMZ proxy.
• Audit for Indicators of Compromise (IoCs)  Look for:

• New random user IDs
• Modified default user configs
• Admin UI appearing for regular users