Tag: CVE-2023-27532

7 Attack Reports | 0 Vulnerabilities

Attack reports

Unmasking Akira: The ransomware tactics you can't afford to ignore

The Akira ransomware group has been targeting UK businesses since 2023, primarily affecting retail, finance, manufacturing, and medical sectors. Their tactics include exploiting SSL VPNs, using double extortion, and focusing on financial gain. Key observations from 2023-2025 include initial access …
ransomware
encryption
credential theft
data exfiltration
akira
CVE-2023-27532
CVE-2024-40766
CVE-2024-40711
double extortion
CVE-2023-20269
2025-09-22
backup destruction
Published: September 22, 2025
Downloadable IOCs: 0

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor aut…
screenconnect
phishing
ransomware
supply chain
mfa bypass
qilin
CVE-2023-27532
2025-04-01
evilginx
stac4365
msp
Published: April 1, 2025
Downloadable IOCs: 0

The Curious Case of an Excellent Resume

This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, …
apt
privilege-escalation
cobalt strike
persistence
credentials
CVE-2023-27532
lateral-movement
skid
more_eggs
spicyomelette
terra loader
2024-12-04
cloudflared
c2 pyramid
Published: December 4, 2024
Linked vulnerabilities : CVE-2023-27532
Downloadable IOCs: 20

Akira ransomware continues to evolve

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned t…
linux
ransomware
windows
rust
CVE-2024-37085
vulnerability exploitation
akira
CVE-2023-27532
esxi
CVE-2024-40766
CVE-2023-48788
double-extortion
CVE-2024-40711
CVE-2023-20269
2024-10-22
CVE-2020-3259
CVE-2023-20263
chacha8
megazord
Published: October 22, 2024
Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-40766 (CVSS 9.8), CVE-2024-40711 (CVSS 9.8), CVE-2023-27532, CVE-2023-20269, CVE-2020-3259, CVE-2023-48788, CVE-2023-20263
Downloadable IOCs: 37

Akira Ransomware Targets the LATAM Airline Industry

An in-depth analysis examined a threat actor utilizing Akira ransomware to compromise a Latin American airline. The attacker gained initial network access via SSH, exploiting a vulnerability in Veeam backup software, and subsequently exfiltrated critical data before deploying the ransomware payload…
linux
ransomware
exfiltration
akira
CVE-2023-27532
2024-07-16
ssh
backup
Published: July 16, 2024
Linked vulnerabilities : CVE-2023-27532, CVE-2023-20269, CVE-2020-3259
Downloadable IOCs: 2

Patch or Peril: A Veeam vulnerability incident

While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
backdoor
ransomware
adfind
vpn
2024-07-12
fortigate
veeam
CVE-2023-27532
svhost
netscan
Published: July 12, 2024
Downloadable IOCs: 2
Click here to see more Attack Reports