Tag: vulnerability exploitation

11 Attack Reports | 0 Vulnerabilities

Attack reports

Malicious Packages Identified in the Wild: Insights and Trends from November 2024 Onward

FortiGuard Labs has analyzed malicious software packages detected from November 2024 to March 2025, revealing various attack techniques used to exploit system vulnerabilities. Key findings include 1,082 packages with low file counts, 1,052 packages with suspicious install scripts, and 1,043 package…
obfuscation
python
typosquatting
node.js
backdoors
data exfiltration
vulnerability exploitation
2025-03-10
install scripts
software packages
Published: March 10, 2025
Downloadable IOCs: 11

PolarEdge: Unveiling an uncovered ORB network

An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge …
botnet
vulnerability exploitation
asus
infrastructure analysis
edge devices
2025-02-25
qnap
cisco
polaredge
CVE-2023-20118
tls backdoor
synology
cipher_log
Published: February 25, 2025
Downloadable IOCs: 31

The BadPilot campaign: Multiyear global access operation

A Russian state actor subgroup within Seashell Blizzard has conducted a global access operation called the BadPilot campaign since 2021. The group exploits vulnerabilities in Internet-facing infrastructure to gain persistent access to high-value targets across various sectors worldwide. Their tacti…
persistence
credential theft
CVE-2024-1709
CVE-2021-34473
vulnerability exploitation
CVE-2023-42793
CVE-2023-48788
initial access
2025-02-12
CVE-2023-23397
CVE-2023-32315
badpilot
russian state actor
global operation
localolive
CVE-2022-41352
remote management
shadowlink
Published: February 12, 2025
Downloadable IOCs: 0

Matrix Unleashes A New Widespread DDoS Campaign

A new widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix has been uncovered. The operation combines public scripts, brute-force attacks, and exploitation of weak credentials to create a botnet capable of global disruption. Matrix targets vulnerabili…
cryptocurrency
ddos
iot
botnet
mirai
discord
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
CVE-2017-17215
telegram
2024-11-27
CVE-2014-8361
brute-force
CVE-2017-18368
script kiddie
CVE-2018-9995
pybot
CVE-2024-27348
CVE-2017-17106
discordgo
CVE-2022-30525
CVE-2022-30075
Published: November 27, 2024
Downloadable IOCs: 12

Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed

Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C…
xmrig
data exfiltration
vulnerability exploitation
webshells
CVE-2024-0012
CVE-2024-9474
2024-11-25
sliver c2
palo alto networks
Published: November 25, 2024
Downloadable IOCs: 14

Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices

Water Barghest, a cybercriminal group, has developed a highly automated system for exploiting and monetizing IoT devices. Their botnet, comprising over 20,000 devices as of October 2024, uses automated scripts to identify and compromise vulnerable IoT devices from public internet scan databases. On…
iot
botnet
proxy
vulnerability exploitation
ngioweb
2024-11-18
residential proxy marketplace
Published: November 18, 2024
Downloadable IOCs: 66

Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave

The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code executio…
iot
botnet
credential theft
CVE-2024-4577
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
routers
CVE-2022-1040
mozi
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
2024-11-12
web servers
persistent access
Published: November 12, 2024
Downloadable IOCs: 10

Akira ransomware continues to evolve

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned t…
linux
ransomware
windows
rust
CVE-2024-37085
vulnerability exploitation
akira
CVE-2023-27532
esxi
CVE-2024-40766
CVE-2023-48788
double-extortion
CVE-2024-40711
CVE-2023-20269
2024-10-22
CVE-2020-3259
CVE-2023-20263
chacha8
megazord
Published: October 22, 2024
Downloadable IOCs: 37

From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking

Two campaigns targeting Selenium Grid, a popular web testing tool, have been identified. The attacks exploit misconfigured instances lacking authentication to deploy cryptominers and proxyjacking tools. The first campaign injects a base64 encoded Python script to download and execute a reverse shel…
cryptomining
vulnerability exploitation
2024-09-17
tor
proxyjacking
perfcc
iproyal pawns
gsocket
traffmonetizer
selenium grid
Published: September 17, 2024
Downloadable IOCs: 18

The Nanshou Campaign - Hackers' Arsenal Grows Stronger

This comprehensive analysis details a sophisticated cyber campaign targeting over 50,000 Windows servers worldwide, primarily in the healthcare, telecommunications, media, and IT sectors. The campaign exploited vulnerabilities in MS-SQL and phpMyAdmin, dropping advanced payloads like crypto-miners …
privilege escalation
vulnerability exploitation
2024-09-16
smominru
CVE-2014-4113
database servers
kernel rootkit
crypto-miner
Published: September 16, 2024
Downloadable IOCs: 28

Examining Water Infection Routine Leading to an XMRig Cryptominer

This report details the multi-stage loading technique utilized by the threat actor Water Sigbin to deliver the PureCrypter loader and XMRig cryptocurrency miner. The actor exploits vulnerabilities in Oracle WebLogic servers, employing fileless execution tactics like DLL reflective and process injec…
obfuscation
xmrig
purecrypter
cryptominer
CVE-2023-21839
CVE-2017-3506
2024-06-28
vulnerability exploitation
multi-stage loading
Published: June 28, 2024
Downloadable IOCs: 13
Click here to see more Attack Reports