Tag: privilege-escalation

29 Attack Reports | 0 Vulnerabilities

Attack reports

Case of Attacks Targeting MS-SQL Servers to Install Ammyy Admin

A series of attacks targeting poorly managed MS-SQL servers have been identified, involving the installation of Ammyy Admin, a remote control tool. The attackers exploit vulnerable servers, execute commands to gather system information, and use WGet to install additional malware. The installed malw…
privilege escalation
brute force
2025-04-22
ms-sql
wget
remote control
petitpotato
dictionary attack
ammyy admin
Published: April 22, 2025
Downloadable IOCs: 0

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…
phishing
ransomware
foggyweb
privilege escalation
data exfiltration
sandbox evasion
multi-stage
2025-04-21
doge
Published: April 21, 2025
Downloadable IOCs: 6

CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild

A critical vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox software has been discovered and is being actively exploited. The flaw involves hardcoded cryptographic keys in configuration files, allowing attackers to abuse ASPX ViewState for remote code execution. Affected versions …
cobalt strike
privilege escalation
remote code execution
meshcentral
CVE-2025-30406
2025-04-15
gladinet
hardcoded keys
aspx viewstate
centrestack
triofox
Published: April 15, 2025
Linked vulnerabilities : CVE-2025-30406
Downloadable IOCs: 6

Exploitation of CLFS zero-day leads to ransomware activity

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege…
ransomware
windows
zero-day
privilege escalation
ransomexx
CVE-2025-24983
CVE-2025-29824
2025-04-09
clfs
pipemagic
Published: April 9, 2025
Linked vulnerabilities : CVE-2025-24983 (CVSS 7.0), CVE-2025-29814 (CVSS 9.3), CVE-2025-29824 (CVSS 7.8)
Downloadable IOCs: 0

Analysis of Lazarus Group's Attack Targeting Windows Web Servers

The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxi…
windows
privilege escalation
webshell
iis
uac bypass
web servers
2025-03-11
c2 proxy
lazarloader
Published: March 11, 2025
Downloadable IOCs: 0

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

Analysis of an incident involving a web shell used as a backdoor

A SOC investigation uncovered a web shell attack on a government SharePoint server in Southeast Asia. The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed Potato tools for privilege escalation. Analysis revealed the web shell to be Behinder, a modular backd…
privilege escalation
badpotato
behinder
godpotato
web shell
southeast asia
2025-02-28
memory-based threats
sweetpotato
potato tools
Published: February 28, 2025
Downloadable IOCs: 0

Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG

In early January 2025, a threat actor was observed exploiting CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. The attacker used the IIS worker process to load a reverse shell and execute reconnaissance commands. The infection process involved confirming the availability of the file upload h…
privilege escalation
iis
2025-01-31
juicypotatong
CVE-2019-18935
Published: January 31, 2025
Linked vulnerabilities : CVE-2019-18935
Downloadable IOCs: 4

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker
Published: January 15, 2025
Downloadable IOCs: 0

Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS envi…
backdoor
xmrig
sliver
cloud security
cryptojacking
privilege escalation
aws
rce
CVE-2024-50603
2025-01-13
aviatrix controller
Published: January 13, 2025
Linked vulnerabilities : CVE-2024-50603 (CVSS 10.0), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2021-40870
Downloadable IOCs: 6

Brain Cipher Ransomware uses CVE-2023-28252

Brain Cipher ransomware is suspected of exploiting CVE-2023-28252, a vulnerability previously utilized by the now-inactive Nokowaya Ransomware Group. The exploit, often disguised as 'clfs_eop.exe', targets the Microsoft Windows CLFS Driver for privilege escalation. This vulnerability is being sold …
ransomware
privilege-escalation
2024-12-17
CVE-2023-28252
brain cipher
clfs filename
Published: December 17, 2024
Downloadable IOCs: 2

Declawing PUMAKIT

PUMAKIT is a sophisticated multi-stage Linux malware consisting of a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit. It employs advanced stealth techniques to hide its presence and maintain C2 communication. The rootkit hooks 18 syscalls and kernel functions using ftra…
rootkit
privilege escalation
2024-12-16
pumakit
kitsune
syscall hooking
Published: December 16, 2024
Downloadable IOCs: 12

The Curious Case of an Excellent Resume

This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, …
apt
privilege-escalation
cobalt strike
persistence
credentials
CVE-2023-27532
lateral-movement
skid
more_eggs
spicyomelette
terra loader
2024-12-04
cloudflared
c2 pyramid
Published: December 4, 2024
Linked vulnerabilities : CVE-2023-27532
Downloadable IOCs: 20

Gafgyt Malware Broadens Its Scope in Recent Attacks

Trend Micro researchers have identified threat actors exploiting misconfigured Docker servers to spread Gafgyt malware, traditionally known for targeting IoT devices. This shift in behavior involves attackers creating Docker containers based on legitimate 'alpine' images to deploy the malware. The …
privilege-escalation
ddos
iot
botnet
gafgyt
docker
api
2024-12-03
lizkebab
container
bashlite
Published: December 3, 2024
Downloadable IOCs: 25

Raspberry Robin Analysis

Raspberry Robin, a malicious downloader discovered in 2021, has been circulating for years, primarily spreading through infected USB devices. It stands out due to its unique binary-obfuscation techniques, extensive use of anti-analysis methods, and privilege escalation exploits. The malware uses mu…
obfuscation
privilege-escalation
anti-analysis
tor
2024-11-19
raspberry robin
usb-spreading
network-propagation
CVE-2024-26229
CVE-2021-31969
Published: November 19, 2024
Linked vulnerabilities : CVE-2021-31969, CVE-2024-26229
Downloadable IOCs: 126

November 18 Advisory: Active Exploitation of Critical RCE in Palo Alto Networks PAN-OS [CVE-2024-0012 and CVE-2024-9474]

Two critical vulnerabilities in Palo Alto Networks PAN-OS, CVE-2024-0012 and CVE-2024-9474, have been disclosed. CVE-2024-0012 is an authentication bypass allowing unauthenticated remote attackers to gain admin privileges, while CVE-2024-9474 is an authenticated privilege escalation bug. These can …
vpn
privilege escalation
2024-11-18
CVE-2024-0012
CVE-2024-9474
rce
authentication bypass
pan-os
critical vulnerability
Published: November 18, 2024
Downloadable IOCs: 0

Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012

A critical authentication bypass vulnerability (CVE-2024-0012) in Palo Alto Networks PAN-OS software allows unauthenticated attackers to gain administrator privileges on affected devices. The issue affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2, but not Cloud NGFW or Prisma Access. Limited expl…
vpn
privilege escalation
webshell
2024-11-18
CVE-2024-0012
CVE-2024-9474
authentication bypass
pan-os
Published: November 18, 2024
Downloadable IOCs: 0

G700: The Next Generation of Craxs RAT

G700 RAT, an advanced variant of Craxs RAT, targets Android devices and cryptocurrency applications. It employs sophisticated techniques like privilege escalation, phishing, and malicious APK distribution to infiltrate devices. The malware bypasses authentication, captures sensitive data, and manip…
obfuscation
phishing
android
cryptocurrency
craxs rat
privilege escalation
2024-11-04
apk distribution
transaction hijacking
sms interception
g700 rat
Published: November 4, 2024
Downloadable IOCs: 3

Chinese Hackers Toolkit Uncovered And Activity History Uncovered

A Chinese hacking group called 'You Dun' was discovered through an exposed open directory, revealing their comprehensive attack infrastructure. The group utilized sophisticated reconnaissance tools and exploited Zhiyuan OA software via SQL injection attacks, targeting South Korean pharmaceutical or…
sql injection
ransomware
cobalt strike
privilege escalation
lockbit 3.0
2024-10-28
c2 infrastructure
CVE-2021-25003
chinese hackers
viper framework
reconnaissance tools
Published: October 28, 2024
Linked vulnerabilities : CVE-2021-25003
Downloadable IOCs: 7

Understanding the Initial Stages of Web Shell and VPN Threats: An MXDR Analysis

This analysis examines two cybersecurity incidents: a web shell attack and a VPN compromise. The web shell attack involved uploading malicious files to a server, executing commands, creating a local admin account, and attempting to establish persistence. The VPN compromise led to lateral movement, …
anydesk
persistence
CVE-2020-1472
lateral movement
privilege escalation
web shell
defense evasion
2024-10-24
iis
mxdr
vpn compromise
Published: October 24, 2024
Linked vulnerabilities : CVE-2020-1472
Downloadable IOCs: 1

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

Attackers Target Exposed Docker Remote API Servers With perfctl Malware

An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash scrip…
evasion
persistence
docker
privilege escalation
perfctl
2024-10-21
remote api
linux malware
container exploitation
Published: October 21, 2024
Downloadable IOCs: 6

Advanced Cyberattacks Against UAE and Gulf Regions

Earth Simnavaz, also known as APT34 and OilRig, has been actively targeting governmental entities in the UAE and Gulf region. The group employs sophisticated tactics, including a backdoor that exploits Microsoft Exchange servers for credential theft and the use of CVE-2024-30088 for privilege escal…
cyber espionage
credential theft
oilrig
CVE-2024-30088
privilege escalation
microsoft exchange
2024-10-14
apt34
stealhook
iis malware
gulf region
uae
Published: October 14, 2024
Linked vulnerabilities : CVE-2024-30088 (CVSS 7.0)
Downloadable IOCs: 17

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

A sophisticated Linux malware named 'perfctl' has been actively targeting millions of servers worldwide for the past 3-4 years. It exploits over 20,000 types of misconfigurations to compromise Linux systems. The malware employs advanced evasion techniques, including rootkits, process masquerading, …
linux
rootkit
evasion
privilege-escalation
persistence
cryptomining
CVE-2023-33246
2024-10-04
tor
CVE-2021-4043
proxy-jacking
perfctl
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-33246, CVE-2021-4034, CVE-2021-4043
Downloadable IOCs: 9

The Nanshou Campaign - Hackers' Arsenal Grows Stronger

This comprehensive analysis details a sophisticated cyber campaign targeting over 50,000 Windows servers worldwide, primarily in the healthcare, telecommunications, media, and IT sectors. The campaign exploited vulnerabilities in MS-SQL and phpMyAdmin, dropping advanced payloads like crypto-miners …
privilege escalation
vulnerability exploitation
2024-09-16
smominru
CVE-2014-4113
database servers
kernel rootkit
crypto-miner
Published: September 16, 2024
Linked vulnerabilities : CVE-2014-4113
Downloadable IOCs: 28

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

Ransomware attackers introduce new EDR killer to their arsenal

An analysis by security researchers has uncovered the existence of a new tool called EDRKillShifter, which is used by threat actors to disable endpoint protection software during ransomware attacks. The tool is designed to terminate antivirus and endpoint detection and response (EDR) solutions on t…
ransomware
ransomhub
privilege escalation
2024-08-16
edr evasion
driver exploitation
edrkillshifter
Published: August 16, 2024
Downloadable IOCs: 2

Analysis of CoinMiner Attacks Targeting Web Servers

The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was col…
xmrig
coinminer
privilege escalation
earthworm
badpotato
godpotato
2024-06-24
webshell
netcat
cpolar
fscan
printnotifypotato
Published: June 24, 2024
Linked vulnerabilities : CVE-2021-1732
Downloadable IOCs: 59

DISGOMOJI Malware Used to Target Indian Government

Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities inclu…
linux
espionage
india
discord
2024-06-18
golang
privilege escalation
disgomoji
CVE-2022-0847
Published: June 18, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2022-0847
Downloadable IOCs: 149
Click here to see more Attack Reports