Tag: anydesk

10 Attack Reports | 0 Vulnerabilities

Attack reports

Navigating Through The Fog

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Ac…
ransomware
anydesk
persistence
credential theft
CVE-2020-1472
CVE-2021-42278
CVE-2021-42287
sliver
lateral movement
vpn
fog ransomware
sonicwall
2025-04-28
active directory
Published: April 28, 2025
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2020-1472
Downloadable IOCs: 1

Introducing ToyMaker

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. …
ransomware
powershell
anydesk
persistence
winscp
impacket
bugsleep
ssh
metasploit
initial access broker
file transfer
cactus
2025-04-23
lagtoy
toymaker
magnet ram
capture
holerun
Published: April 23, 2025
Downloadable IOCs: 20

CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

A critical vulnerability (CVE-2025-31161) in CrushFTP managed file transfer software allows attackers to bypass authentication and gain admin-level access. Affecting versions 10.0.0-10.8.3 and 11.0.0-11.3.0, the flaw enables unauthorized actions, including data retrieval and administrative control.…
anydesk
meshcentral
authentication bypass
CVE-2025-31161
2025-04-05
telegram bot
crushftp
meshcentral agent
Published: April 5, 2025
Downloadable IOCs: 0

Camera off: Akira deploys ransomware via webcam

Akira, a prominent ransomware group, accounted for 15% of incidents in 2024, showcasing novel evasion techniques. In a recent attack, Akira circumvented an Endpoint Detection and Response (EDR) tool by compromising an unsecured webcam to deploy ransomware. After initial detection, the group pivoted…
ransomware
anydesk
iot
remote access
edr evasion
network segmentation
2025-03-11
akira ransomware
webcam
smb protocol
Published: March 11, 2025
Downloadable IOCs: 0

Medusa Ransomware Activity Continues to Increase

Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.
ransomware
blackcat
anydesk
rclone
service
medusa
netscan
raas
medusalocker
psexec
simplehelp
2025-03-06
ttps
pdq deploy
pdq inventory
spearwing
navicat
avkiller
Published: March 6, 2025
Downloadable IOCs: 45

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker
Published: January 15, 2025
Downloadable IOCs: 0

Attackers exploiting a FortiClient EMS vulnerability in the wild

Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like…
screenconnect
sql injection
forticlient ems
anydesk
credential theft
remote access
lateral movement
mimikatz
CVE-2023-48788
2024-12-19
Published: December 19, 2024
Downloadable IOCs: 0

Understanding the Initial Stages of Web Shell and VPN Threats: An MXDR Analysis

This analysis examines two cybersecurity incidents: a web shell attack and a VPN compromise. The web shell attack involved uploading malicious files to a server, executing commands, creating a local admin account, and attempting to establish persistence. The VPN compromise led to lateral movement, …
anydesk
persistence
CVE-2020-1472
lateral movement
privilege escalation
web shell
defense evasion
2024-10-24
iis
mxdr
vpn compromise
Published: October 24, 2024
Linked vulnerabilities : CVE-2020-1472
Downloadable IOCs: 1

Threat actor targeting UK banks in ongoing AnyDesk social engineering campaign

Threat analysts are tracking an ongoing campaign that employs fake websites and social engineering tactics to distribute a malicious version of the AnyDesk remote access software to Windows and macOS users. Once installed on a victim's machine, it is being utilized to steal data and money. The camp…
phishing
social engineering
anydesk
remote access
2024-08-09
uk banks
Published: August 9, 2024
Downloadable IOCs: 50

From IcedID to Dagon Locker Ransomware in 29 Days

This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
powershell
cobalt strike
anydesk
icedid
adfind
rclone
shell
encrypted
discovery
domain account
access token
manipulation
utility
modify system
aws collector
prometheustds
seatbelt
sharefinder
Published: April 29, 2024
Downloadable IOCs: 33
Click here to see more Attack Reports