Overview
Recently, the CYFOR Secure team responded to a Zero Day Attack, involving CrushFTP. CrushFTP is a file transfer system used by organisations to facilitate data sharing with clients. In the second half of March 2025, a critical vulnerability (CVE-2025-31161) was identified and publicised by the threat group. Threat actors began exploiting this flaw almost immediately, targeting vulnerable servers and exfiltrating sensitive data.
Who is Behind the Attack?
The threat group “Kill Security” has publicly claimed responsibility for the recent CrushFTP compromises. Their approach has not involved ransomware or overt disruption, making detection challenging. Instead, they have exfiltrated significant volumes of sensitive data and are expected to contact affected organisations with extortion demands disguised as “penetration testing” services.
The CYFOR Secure team is actively monitoring other groups with a history of targeting managed file transfer (MFT) systems—most notably “Cl0p,” known for high-profile attacks like those on MoveIt and Cleo. Cl0p often exfiltrates data without deploying ransomware, a pattern consistent with the current CrushFTP incidents and underscoring the broader risk to organisations using MFT solutions. If your business uses other managed file transfer services, it’s worth investing in proactive security measures, given these transfer systems are commonly exposed to the internet.
Understanding the Vulnerability
When first discovered in March, CVE-2025-31161 was a true zero-day—unknown to the vendor and the public, with no available patch. As of April 2025, it is considered an “n-day” vulnerability: it is widely known and patches have been released, but exploitation continues against unpatched systems.
The vulnerability is trivial to exploit, allowing a fully unauthenticated attacker to remotely access all sensitive data on CrushFTP servers. Both Windows and Linux deployments are affected. All users of CrushFTP—regardless of version 10 or 11—are strongly urged to upgrade to at least version 10.8.4+ or 11.3.1+.
CYFOR Secures Response
The team here at CYFOR Secure acted swiftly to assist affected organisations. Our incident response teams:
- Conducted forensic reviews of CrushFTP logs to identify unauthorised account creation and suspicious access patterns
- Helped clients patch vulnerable systems and secure their environments
- Advised on best practices for ongoing monitoring and detection
“Unlike traditional ransomware incidents, whose impact is immediate and unmissable, the CrushFTP attacks we have seen this month can easily go unnoticed. Such incidents demonstrate the need for organisations to proactively search for indicators of compromise from these widespred vulnerabilities, even if they are now patched and up to date” — Will Poole, CYFOR Secure
How to Identify a Compromise
Based on our investigations, the most reliable ways to identify a compromise include:
- Reviewing CrushFTP logs for accounts created by the default crushadmin account that are not recognised.
- Checking for log entries containing Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/* from unknown IP addresses.
- Examining logs for command:downloadAsZip or command:download events that are unfamiliar, especially if they originate from crushadmin or accounts created by crushadmin during March/April, as these may indicate data exfiltration.
- Reviewing server logs for signs of malware deployment or installation of remote access tools (e.g., AnyDesk, TeamViewer, MeshAgent). Both Windows and Linux instances have been targeted.
-
Indicators of Compromise (IOCs)
Attackers have used a wide range of IP addresses, often leveraging VPN and VPS providers. The following IPs have been observed in large volumes across incidents, in both automated and manual post-exploit activity:
- 198.44.129.122
- 193.37.69.154
- 68.235.46.121
- 172.235.144.67
Some systems have been exploited multiple times, suggesting that several threat groups or individuals may be systematically targeting known vulnerable servers.
Proactive Security Recommendations
To reduce the risk of future incidents, CYFOR Secure recommends:
- Timely patching: Apply software updates as soon as they are available and verify their effectiveness
- Log review: Regularly audit file transfer logs for unauthorised account creation or suspicious activity
- Network segmentation: Isolate critical systems to limit lateral movement during an attack
- Access controls: Enforce least privilege and strong authentication for administrative accounts
- Proactive monitoring: Implement continuous monitoring for unusual access patterns and data exfiltration attempts
- Incident response planning: Maintain a robust incident response plan and test it regularly
A good place to start when it comes to implementing Cyber Security measures, is with our Managed Cyber Security Service. This incorporates proactive planning, consistent scanning and updates, and fast incident response, to ensure your data always remains secure.
Conclusion
The CrushFTP incident underscores the speed and sophistication with which threat actors exploit newly discovered vulnerabilities—often before patches can be widely applied. Many organisations may have been compromised between late March and early July 2025 without realising it, as these attacks have not involved disruptive ransomware payloads.
In addition to Kill Security, groups like Cl0p remain active and capable of leveraging similar vulnerabilities in managed file transfer systems. CYFOR Secure continues to monitor the evolving threat landscape and strongly advises all CrushFTP users to patch immediately and review logs for signs of compromise.
The team at CYFOR Secure have also developed custom detection scripts and rules to quickly assess potential CrushFTP compromises. If you seek assurance that your systems are secure, or require assistance investigating post-exploit activity, our team can provide rapid and effective support.
If you suspect your organisation may have been impacted, contact CYFOR Secure for expert incident response and support.