Threat Research

The intrusion started in mid-February 2024 when a threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server. By leveraging a Java Spring class and a custom Spring bean XML configuration, the attacker achieved remote code execution. The malicious XML executed a command that used Windows CertUtil to download a payload from a remote server....

XWorm is a widely used and evolving remote access trojan (RAT) known for features like keylogging, remote access, and data theft. Its modular design, ease of use, and regular updates make it attractive to cybercriminals. Threat actors often use XWorm in attacks on the software supply chain and gaming sectors....

A new ransomware operator, Mora_001, has been exploiting two Fortinet vulnerabilities, particularly targeting Fortigate firewall appliances, to deploy a ransomware strain named SuperBlack. Mora_001 is linked to the LockBit ransomware ecosystem and uses a combination of opportunistic attack methods....

The attack began with the exploitation of CVE-2023-22527, a critical RCE vulnerability in Confluence, on a Windows server. Initial signs of activity included system discovery commands like net user and whoami. The attacker attempted to download AnyDesk via curl, failing at first but later retrieving it using mshta and a remote HTA file containing a Metasploit stager....

This intrusion began in late January 2024 when a user downloaded and executed a file named setup_wm.exe, which mimicked the legitimate Microsoft Windows Media Configuration Utility. The file was actually a Cobalt Strike beacon, establishing an outbound connection upon execution....

Threat actors are increasingly exploiting cloud service providers for various malicious activities, including infostealer development and data exfiltration. In this instance, the ransomware samples we analyzed included hard-coded AWS credentials, specific to one threat actor, while generally, ransomware developers use various online services....