In April, a new Dynamic Host Configuration Protocol (DHCP) exploit was discovered that forces traffic to bypass’ VPN encapsulation, pushing traffic outside of the VPN tunnel. The ‘Share Update’ feature in Monday.com had to be disabled as it was being exploited by adversaries to send phishing attacks, while the MIITRE corporation identified a breach that occurred in January 2024 leveraging the Ivanti VPN Zero-Day vulnerability.

In other cyber news, Volkswagen have identified a breach lasting multiple years where state-sponsored threat actors have captured critical information on Volkswagen’s proprietary EV and hydrogen technologies. Europol confirmed a breach to their Europol Platform for Experts (EPE) by the threat actor known as IntelBroker.

New/Improved Techniques

TunnelVision – VPN Decloak

Cybersecurity researchers at Leviathan Security Group have discovered a method to manipulate a Dynamic Host Configuration Protocol (DHCP) server on a network to bypass VPN encapsulation and divert traffic outside of the encrypted tunnel, effectively negating the purpose of the VPN. The vulnerability is within the DHCP classless static route option – Option 121, which allows a DHCP server to configure routing rules within the virtual network interface that the target’s VPN creates.


Option 121 was included in the DHCP standard in 2002, meaning that this technique has been possible for a long time. VPNs were never designed to be secure on the local network, rather to keep your traffic secure on the internet. We recommend not using untrusted networks when connecting to a VPN – using the mobile hotspot on your mobile device is an effective way of mitigating risk of this attack.

Monday.com Share Update Feature Abuse

Monday.com were forced to remove one of the features on their project management platform, after it was found to have been used in phishing attacks. The ‘Share Update’ feature allowed users to share an update with people who were not members of their account, simply requiring an email input. This allowed adversaries to generate emails from the platform to any email address they wished, while using Monday.com’s email authentication to bypass filters and appear legitimate.


The phishing emails generated in the campaign were not novel but were known to use URL shortening to obfuscate the forms they were using to capture credentials. Monday.com has not revealed how many phishing emails were delivered from their system and have not provided a timeline for the feature to be re-enabled.

Attacks / Threats

[US] MITRE Breach

The MITRE Corporation disclosed that they were the victim of a breach to their systems in January 2024, from a state-backed group who used two Ivanti VPN zero-day vulnerabilities to gain access.


The suspicious activity was detected on MITRE’s collaborative network which is used for research, development, and prototyping – the Networked Experimentation, Research and Virtualization Environment (NERVE). After detecting the activity, swift action was taken to contain the incident, with the NERVE environment being taken offline and an investigation being launched, which is still ongoing. The NERVE environment is unclassified, and to date the investigation has uncovered no indication that MITRE’s enterprise network or any partners systems or networks were affected.


The two security vulnerabilities that were utilised are believed to be an auth bypass and a command injection vulnerability that have been linked to Chinese state-sponsored groups for deploying malware, and for espionage purposes. MITRE themselves have not officially stated what group nor state they believe to be behind the attack.

[EU] Europol Web Portal Breach

The European Union’s law enforcement agency, Europol confirmed that their platform for sharing knowledge, best practices, and data on crime with agencies across the world (Europol Platform for Experts (EPE)) was breached by the threat actor known as IntelBroker.


IntelBroker first emerged around the end of 2022, and specialise in targeting critical infrastructure and government agencies, and have previously claimed responsibility for breaching the US geospatial intelligence firm Space-Eyes.


The EPE breach occurred in September 2023, and the Europol investigation points to stolen credentials as the ingress method, rather than a vulnerability or a misconfiguration. This may indicate that the breach was caused by a lack of a second factor of authentication for the law enforcement portal. Europol have released a statement indicating that neither their core systems, nor the systems of any of their partners were affected by this breach.

[EU] Volkswagen Breach – EV Technologies Targeted

State sponsored threat actors are believed to be responsible for the latest breach in a years-long campaign to breach and conduct espionage against Volkswagen systems, with the intent of capturing critical information around Volkswagens proprietary EV and hydrogen technologies and production methods. Although not yet fully confirmed, the initial investigation has shown the hallmarks and a level of sophistication suggesting groups known to operate with state backing in China.


The largest attack resulted in nearly 20,000 documents being stolen from the VW servers, with the documents believed to be specifically targeted, based on a clear agenda to capture high-value technologies. It is believed that Volkswagens infrastructure was being analysed for weaknesses as far back as 2010 and were breached several times between 2011 and 2014. Technical details of the most recent breach have not yet been released.


This attack may indicate a shift in the world, where the reality of competition between private companies and adversarial state backed industry may require the involvement of western nations to remain fair; even the largest of private enterprises are powerless in the face of this competitive disadvantage.

LockBit – Leader Identified and Sanctioned

The United States has joined the U.K and Australia in levelling sanctions and charges against Russian national Dmitry Yuryevich Khoroshev. Khoroshev is being charged with being the leader of the infamous LockBit ransomware group, going by the online handle of LockBitSupp. The indictment included charges of wire fraud, extortion, and conspiracy, and alleges that Khoroshev has personally made more than $100 million, while the group has extorted around $500 million over the last 4 years.


LockBit operate a ransomware-as-a-service (RaaS) affiliate operation, where they build, maintain, and provide the ransomware, and manage the extortion, while leaving ingress and infection up to their affiliates. Under this model LockBit keep 20% of any ransom paid by the victim, while the remaining 80% is paid back to affiliates. This model allowed LockBit to quickly expand and become one of the most prominent ransomware groups, with cyber intelligence company Cyberint linking the group to 24% of the total ransomware attacks they monitored in 2023 – with successful attacks against over 1000 victims. The affiliate model also creates difficulty for cybersecurity professionals, as the MO for attacks and ingress methods using the LockBit ransomware are as varied as the number of affiliates.

Counterfeit Cisco Devices

A Florida resident and dual US /Turkey citizen Onur Aksoy has been sentenced to 6 years in prison for running a multi-year operation trafficking and selling counterfeit Cisco networking devices, of which hundreds of millions of dollars’ worth of equipment ended up in U.S government and sensitive military systems.


Askoy ran 19 companies out of Florida and New Jersey and had multiple Amazon and eBay store fronts pushing his fake, low quality modified network devices, and is believed to have personally received millions of dollars from his scheme. The devices were being imported from China and Hong Kong and were usually older, or lower tier units, which were modified by Chinese counterfeiters to appear as genuine new and expensive Cisco devices. The modifications included custom firmware designed to replicate new and expensive networking devices, and contained components to circumvent measures by Cisco to check for licensing and authenticate hardware. The devices were shipping in authentic looking packaging, and included convincing documentation that was near impossible to detect. The devices obviously had major performance and functionality issues once introduced into networking systems, and were known to be part of some of the US defence departments classified systems, including those supporting their fighter jets and attack helicopters.


In the years leading up to his arrest and sentencing, Aksoy was sent multiple cease and desist letters, and went as far as forging Cisco documentation in an attempt to get out of trouble. As part of the sentencing, Askoy was found to have been aware of the investigation and was known to be taking measures to obfuscate his counterfeit imports, which were being targeted and seized as part of the investigation.