Threat Research

The intrusion started in mid-February 2024 when a threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server. By leveraging a Java Spring class and a custom Spring bean XML configuration, the attacker achieved remote code execution. The malicious XML executed a command that used Windows CertUtil to download a payload from a remote server....

Despite U.S. sanctions, Intellexa continues selling its Predator spyware and remains one of the most aggressive exploit operators, rapidly developing or acquiring mobile zero-days....

At the end of October, during a global AWS connectivity disruption, Labs detected malware known as “ShadowV2” exploiting IoT vulnerabilities to spread. The incidents impacted multiple countries and affected seven different industries. To date, the malware has only been observed operating during the major AWS outage window....

A major botnet campaign, dubbed RondoDox, is actively exploiting over 50 known vulnerabilities in routers, DVRs, NVRs, CCTV systems, and web servers from more than 30 vendors. Organizations with internet-facing infrastructure face heightened risks of data theft, persistent access, and operational disruption....

The threat actor initially exploited CVE-2023-22527 on a public-facing Confluence server to achieve remote code execution. They followed a repeatable command sequence—installing AnyDesk, creating admin accounts, and enabling RDP—indicating automation or a playbook. Credential theft tools like Mimikatz, ProcessHacker, and Secretsdump were used....

The attack began with the exploitation of CVE-2023-22527, a critical RCE vulnerability in Confluence, on a Windows server. Initial signs of activity included system discovery commands like net user and whoami. The attacker attempted to download AnyDesk via curl, failing at first but later retrieving it using mshta and a remote HTA file containing a Metasploit stager....

"Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation" refers to the detection of a suspicious file named "wermgr.exe" being created in an uncommon directory, which may indicate an attempted exploitation of CVE-2023-36874....

Our team recently uncovered attacker tactics linked to a vulnerability in Fortinet products, which has already been patched. The flaw involves improper filtering of SQL command input, enabling SQL injection. CVE-2023-48788 impacts FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2....

CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process refers to a security vulnerability in WinRAR versions prior to 6.23, where attackers can exploit the software to execute arbitrary commands or binaries....

CVE-2023-22518 is a vulnerability in Confluence that allows for exploitation through the creation of a suspicious child process on Windows systems. Attackers may leverage this vulnerability to execute arbitrary code or escalate privileges within the application....