CVE-2019-19781
published 2019-12-27CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
100.00%
100.0th percentile
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | application_delivery_controller_firmware | — | — |
| citrix | application_delivery_controller_firmware | — | — |
| citrix | application_delivery_controller_firmware | — | — |
| citrix | application_delivery_controller_firmware | — | — |
| citrix | application_delivery_controller_firmware | — | — |
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | gateway_firmware | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | netscaler_gateway_firmware | — | — |
| citrix | netscaler_gateway_firmware | — | — |
| citrix | netscaler_gateway_firmware | — | — |
| citrix | netscaler_gateway_firmware | — | — |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
16 03 01 00 B5 01 00 00 B1 03 01 00 00 00 00 00 00 00 00 00 00 6A CE 14 27 3F 24 92 AB 0A A3 F7 DB 21 1C D6 7F FD E3 A3 50 00 00 00 00 48 C0 0A C0 14 00 88 00 87 00 39 00 38 C0 0F C0 05 00 84 00 35 C0 07 C0 09 C0 11 C0 13 00 45 00 44 00 66 00 33 00 32 C0 0C C0 0E C0 02 C0 04 00 96 00 41 00 04 00 05 00 2F C0 08 C0 12 00 16 00 13 C0 0D C0 03 FE FF 00 0A 02 01 00 00 3F 00 00 00 13 00 11 00 00 0E 6C 6F 67 69 6E 2E 6C 69 76 65 2E 63 6F 6D FF 01 00 01 00 00 0A 00 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 00 00 00
snort↗
52620
- →Speculoos backdoor sends a hardcoded TLS Client Hello packet with SNI set to 'login.live.com' as a masquerade; detect anomalous TLS connections to non-Microsoft IPs using this SNI value ↗
- →Monitor Citrix ADC/Gateway devices for outbound FTP connections, especially to unknown IPs, dropping ELF/FreeBSD binaries to /tmp — indicative of CVE-2019-19781 post-exploitation payload staging ↗
- →Speculoos is an ELF executable compiled for FreeBSD (GCC 4.2.1); detection of unexpected FreeBSD ELF binaries on Citrix ADC appliances is a strong indicator of compromise ↗
- →CVE-2019-19781 exploitation is detectable via HTTP path traversal patterns in requests to Citrix ADC/Gateway; monitor for directory traversal sequences in HTTP/S requests to these devices ↗
- ·CVE-2019-19781 was first disclosed on December 17, 2019 via security bulletin CTX267679 with mitigations only; permanent patches were not issued until January 24, 2020, leaving a significant exploitation window ↗
- ·Speculoos does not natively maintain persistence; a separate component or additional adversary step is required to maintain the foothold on compromised Citrix appliances ↗
- ·CVE-2019-19781 affects Citrix ADC, Gateway, and SD-WAN WANOP appliances; all three product lines should be assessed and patched ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2019-19781 [CRITICAL] CWE-22 Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
Vulnerability: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
Affected: Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance
Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-19781
Remediation Due Date: 2022-05-03
Citrix
CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
vendor_citrix·2019-12-27·CVSS 9.8
CVE-2019-19781 [CRITICAL] CWE-22 CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
CISA KEV: Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution.
Required Action: Apply updates per vendor instructions.
Known ransomware campaign use.
Citrix
Citrix Security Bulletin CTX267027
vendor_citrix·CVSS 9.8
CVE-2019-19781 [CRITICAL] Citrix Security Bulletin CTX267027
Citrix Security Bulletin CTX267027
CVE References: CVE-2019-19781, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
GHSA
GHSA-jjcm-f6q3-w5xj: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10
ghsa_unreviewed·2022-05-24
CVE-2019-19781 [HIGH] CWE-22 GHSA-jjcm-f6q3-w5xj: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
VulnCheck
Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-19781 [CRITICAL] CWE-22 Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an unspecified vulnerability that could allow an unauthenticated attacker to perform code execution.
Affected: Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html; https://cisa.gov/news-events/alerts/2020/01/23/citrix-releases-security-updates-sd-wan-wanop; https://diriga.com/2020/02/26/bretagne-telecom-fell-victim-of-doppelpaymer-
Suricata
ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)
suricata·2022-02-05·CVSS 9.8
CVE-2019-19781 [CRITICAL] ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)
ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpns/cfg/smb.con"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035110; rev:2; metadata:created_at 2022_02_05, cve CVE_2019_19781, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_05;)
Suricata
ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt - Server Response (CVE-2019-19781)
suricata·2022-02-05·CVSS 9.8
CVE-2019-19781 [CRITICAL] ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt - Server Response (CVE-2019-19781)
ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt - Server Response (CVE-2019-19781)
Rule: alert http $HTTP_SERVERS any -> any any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt - Server Response (CVE-2019-19781)"; flow:established,to_client; http.stat_code; content:"200"; http.response_header; header_lowercase; content:"via|3a 20|NS-CACHE-"; startswith; http.response_body; content:"|5b|global|5d|"; startswith; content:"encrypt passwords"; distance:0; fast_pattern; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035111; rev:3; metadata:attack_target Server, created_at 2022_02_05, cve CVE_2019_19781, deployment Perimeter, d
Suricata
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M4
suricata·2022-02-05·CVSS 9.8
CVE-2019-19781 [CRITICAL] ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M4
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M4
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M4"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2035109; rev:2; metadata:attack_target Server, created_at 2022_02_05, cve CVE_2019_19781, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_05, mitre_tactic_id TA00
Suricata
ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781)
suricata·2021-10-28·CVSS 9.8
CVE-2019-19781 [CRITICAL] ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781)
ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/newbm.pl"; nocase; fast_pattern; endswith; http.header_names; to_lowercase; content:"|0d 0a|nsc_user|0d 0a|"; nocase; content:"|0d 0a|nsc_nonce|0d 0a|"; nocase; http.request_body; content:"template.new"; nocase; content:"url="; nocase; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2034279; rev:3; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2019_19781, deployment Perimeter, deployment Internal, confidence High,
Suricata
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2
suricata·2020-01-13·CVSS 9.8
CVE-2019-19781 [CRITICAL] ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2"; flow:established,to_server; http.uri; content:"/vpns/"; fast_pattern; http.request_header; header_lowercase; content:"nsc_user|3a 20|"; startswith; content:"/../"; http.header_names; to_lowercase; content:"|0d 0a|nsc_nonce|0d 0a|"; content:"|0d 0a|nsc_user|0d 0a|"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029255; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_01_13, cve CVE_2019_19781, deployment Per
Suricata
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)
suricata·2019-12-30·CVSS 9.8
CVE-2019-19781 [CRITICAL] ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029206; rev:5; metadata:attack_target Server, created_at 2019_12_30, cve CVE_2019_19781, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, m
Exploit-DB
Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
exploitdb·2020-01-16·CVSS 9.8
CVE-2019-19781 [CRITICAL] Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
---
# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
# Date: 2019-12-17
# CVE: CVE-2019-19781
# Vulenrability: Path Traversal
# Vulnerablity Discovery: Mikhail Klyuchnikov
# Exploit Author: Dhiraj Mishra
# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0
# Vendor Homepage: https://www.citrix.com/
# References: https://support.citrix.com/article/CTX267027
# https://github.com/nmap/nmap/pull/1893
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
local io = require "io"
description = [[
This NSE
Exploit-DB
Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)
exploitdb·2020-01-13
CVE-2019-19781 Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)
Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Citrix ADC Remote Code Execution',
'Description' => %q(
An issue was discovered in Citrix Application Delivery Controller (ADC)
and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
),
'Author' => [
'RAMELLA Sébastien' # https://www.pirates.re/
],
'References' => [
['CVE', '2019-19781'],
['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],
['EDB', '47901'],
['EDB', '47902']
],
'DisclosureDate' => '2019-12-17',
'License' => MSF_LICENSE,
'Platform' => ['unix'
Exploit-DB
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)
exploitdb·2020-01-11·CVSS 9.8
CVE-2019-19781 [CRITICAL] Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)
---
#!/bin/bash
# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781
# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'
# Release Date : 11/01/2020
# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
echo "=================================================================================
___ _ _ ____ ___ _ _
| _ \ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _
| _/| '_|/ _ \ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \ | | | ' \ / _' || |/ _' |
|_| |_| \___/_/ |\___|\__| \__| /___|\___||_| \___/ |___||_||_|\__,_||_|\__,_|
|__/ C
Exploit-DB
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution
exploitdb·2020-01-11·CVSS 9.8
CVE-2019-1978 [CRITICAL] Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution
---
#!/usr/bin/python3
#
# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
#
# You only need a listener like netcat to catch the shell.
#
# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White
#
# Tool Written by: Rob Simon and David Kennedy
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings
import random
import string
import time
from random import randint
import argparse
import sys
# random string generator
def randomString(stringLength=10):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(stringLength))
# our random s
Metasploit
Citrix ADC (NetScaler) Directory Traversal Scanner
metasploit·CVSS 9.8
CVE-2019-19781 [CRITICAL] Citrix ADC (NetScaler) Directory Traversal Scanner
Citrix ADC (NetScaler) Directory Traversal Scanner
This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of a "[global]" directive in smb.conf, which this file should always contain.
Nuclei
Citrix ADC and Gateway - Directory Traversal
nuclei·CVSS 9.8
CVE-2019-19781 [CRITICAL] Citrix ADC and Gateway - Directory Traversal
Citrix ADC and Gateway - Directory Traversal
Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 are susceptible to directory traversal vulnerabilities.
Template:
id: CVE-2019-19781
info:
name: Citrix ADC and Gateway - Directory Traversal
author: organiccrap,geeknik
severity: critical
description: Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 are susceptible to directory traversal vulnerabilities.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, potential data leakage, and further compromise of the affected system.
remediation: |
Apply the necessary security patches provided by Citrix to fix the directory traversal vulnerability.
reference:
Metasploit
Citrix ADC (NetScaler) Directory Traversal RCE
metasploit
Citrix ADC (NetScaler) Directory Traversal RCE
Citrix ADC (NetScaler) Directory Traversal RCE
This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.
Tenable
CVE-2025-7775 Citrix RCE Zero-day
blogs_tenable·2025-08-26·CVSS 9.2
[CRITICAL] CVE-2025-7775 Citrix RCE Zero-day
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Tenable
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
blogs_tenable·2024-10-22
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Iranian hackers work with ransomware gangs to extort breached orgs
blogs_bleepingcomputer·2024-08-28·CVSS 8.6
[HIGH] Iranian hackers work with ransomware gangs to extort breached orgs
## Iranian hackers work with ransomware gangs to extort breached orgs
## Sergiu Gatlan
An Iran-based hacking group known as Pioneer Kitten is breaching defense, education, finance, and healthcare organizations across the United States and working with affiliates of several ransomware operations to extort the victims.
The threat group (also tracked as Fox Kitten, UNC757, and Parisite) has been active since at least 2017 and is believed to have a suspected nexus to the Iranian government.
As CISA, the FBI, and the Defense Department's Cyber Crime Center warned today in a joint advisory, the attackers are monetizing their access to compromised organizations' networks by selling domain admin credentials and full domain control privileges on cyber marketplaces while using the 'Br0k3r' and,
Tenable
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
blogs_tenable·2024-08-28
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the Wild
blogs_tenable·2023-10-18·CVSS 9.4
[CRITICAL] CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
#### Table of Contents
- Stats on the Top 20 Vulnerable Vendors & By-Products
- Top Twenty Most Targeted by Attackers
- TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the curre
Qualys
Qualys Top 20 Most Exploited Vulnerabilities
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Qualys Top 20 Most Exploited Vulnerabilities
## Table of Contents
Stats on the Top 20 Vulnerable Vendors & By-Products
Top Twenty Most Targeted by Attackers
TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
blogs_tenable·2023-07-18·CVSS 9.8
[CRITICAL] CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
blogs_qualys·2023-07-18
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
## Table of Contents
Top Ten Vulnerabilities Exploited by Threat Actors
Top Ten Highly Active Threat Actors
Top Ten Most Exploited Vulnerabilities by Malware
Top Ten Most Active Malware
Top Ten Vulnerabilities Exploited by Ransomware
Prioritizing Exploited Vulnerabilities with TheQualys VMDR and TruRisk
Assess Your Organizations Exposure to Risk / TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributor
The previous blog from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA KEV/EPSS) of
Sentinelone
NetWalker
blogs_sentinelone·2022-11-30
NetWalker
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Sentinelone
REvil
blogs_sentinelone·2022-11-30
REvil
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Sentinelone
Maze
blogs_sentinelone·2022-11-30
Maze
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Tenable
CVE-2022-27510: Critical Citrix ADC and Gateway Authentication Bypass Vulnerability
blogs_tenable·2022-11-09·CVSS 9.8
[CRITICAL] CVE-2022-27510: Critical Citrix ADC and Gateway Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Lücken in der Sicherheit von Heimarbeitsplätzen
blogs_trendmicro·2022-10-19
Lücken in der Sicherheit von Heimarbeitsplätzen
Malware
## Lücken in der Sicherheit von Heimarbeitsplätzen
Remote- und hybride Arbeitsplätze sind mittlerweile die Norm. Wir haben die Risiken und Bedrohungen dafür analysiert und geben Unternehmen ausführliche Empfehlungen, wie sie diese verteilten Arbeitspools sichern können.
By: Trend Micro Oct 19, 2022 Read time: ( words)
Save to Folio
Mittlerweile kehren Unternehmen entweder zur Arbeit im Büro zurück, stellen dauerhaft auf Fernarbeit um oder entscheiden sich für eine Kombination aus beidem. Jede dieser Lösungen hat ihre Vor- und Nachteile, doch aus Sicht der Cybersicherheit bringen die beiden letztgenannten einige Herausforderungen mit und lenken den Blick auf Sicherheitslücken.
Im Fall der hybriden und Heimarbeitsplätze (Work-From-Home, WFH) genießen Mitarbeiter nicht mehr den
Qualys
NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
blogs_qualys·2022-10-07·CVSS 10.0
[CRITICAL] NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
## Table of Contents
Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
Identify Vulnerable Assets using Qualys Threat Protection
Recommendations & Mitigations
Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and I
Qualys
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
blogs_qualys·2022-10-07
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
#### Table of Contents
- Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
- Identify Vulnerable Assets using Qualys Threat Protection
- Recommendations & Mitigations
- Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurit
Tenable
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
blogs_tenable·2022-10-07
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines
blogs_qualys·2022-02-26
Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines
## Table of Contents
Protecting Customer Data on Qualys Cloud Platform
Urgent: Assess and Heighten Your Security Posture
Step 1: Monitor Your Shodan/Internet Exposed Assets
Step 2: Detect, Prioritize and Remediate CISAs Catalog ofKnown Exploited Vulnerabilities
Step 3: Protect Your Cloud Services and Office 365
Step 4: Continuously Detect any Potential Threats and Attacks
Take Action to Learn More about How to Strengthen Your Defenses
CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA’s recommendations.
With the invasion of Ukraine by Russia, the U.
Tenable
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
blogs_tenable·2022-02-24
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
blogs_unit42·2022-02-22
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Threat Research Center
Threat Research
Malware
## Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Unit 42
Published: February 22, 2022
Malware
Threat Research
DDoS
Defacement
Gamaredon
HermeticWiper
Nation-state
Russia
Trident Ursa
Ukraine
WhisperGate
## Executive Summary
Over the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past week, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware named HermeticWiper was discovered in Ukraine. Shortl
Unit42
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
blogs_unit42·2022-02-22
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
## Executive Summary
Over the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past week, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware named HermeticWiper was discovered in Ukraine. Shortly after, a new round of website defacement attacks were also observed impacting Ukrainian government organizations.
Consistent with our previous reporting on the topic, several western governments have issued recommendations for their populations to prepare for cyberattacks that could disrupt, disable or destroy critical infrastructure. We have already observed an increase in Russian c
Tenable
CISA’s Binding Operational Directive on Managing Unacceptable Risk Vulnerabilities in Federal Enterprises Is Key to Stopping Federal Cyberattacks
blogs_tenable·2021-11-03
CISA’s Binding Operational Directive on Managing Unacceptable Risk Vulnerabilities in Federal Enterprises Is Key to Stopping Federal Cyberattacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Examining the Treat Landscape
blogs_tenable·2021-10-29
Examining the Treat Landscape
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unp
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
# CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay
2021/09/21
Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unpat
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits y vulnerabilidades
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, un
Huntress
The Top Four CVEs Attackers Exploit | Huntress
blogs_huntress·2021-09-21·CVSS 9.8
[CRITICAL] The Top Four CVEs Attackers Exploit | Huntress
While the move to remote work last year gave many of us comforts such as working in our pajamas and being 10 steps away from the fridge, it’s been a bit of a nightmare for those who work in cybersecurity.
The Institute for Security and Technology reports that in 2020, the victims of ransomware attacks paid $350M in ransom —a more than 300% increase over the previous year. By this year’s end, it’s predicted that cybercrime will cost the world $6 trillion . While cybercrime is a lucrative gig for hackers, it's expensive for the rest of us—and unfortunately, it's only getting worse with remote work.
In many ways, remote work has removed many of the security measures that organizations typically put in place to keep their data and networks secure. For example, corporate networks usually only
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay 2021/09/21 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unpat
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Sfruttamento vulnerabilità
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unp
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Ausnutzung von Schwachstellen
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young,
Tenable
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
blogs_tenable·2021-08-25
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
23rd August – Threat Intelligence Report
blogs_checkpoint·2021-08-23
CVE-2019-19781 23rd August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd August, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The Hive ransomware gang has encrypted computers of Memorial Health System, a chain that operates hospitals and clinics in the US, eventually forcing workers to operate with paper charts and cancel surgeries. Although Hive had previously used “double-extortion” techniques, according to MHS, patients’ data was not stolen.
Ch
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2021-07-29·CVSS 10.0
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- Top Routinely Exploited Vulnerabilities
- Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
- Recommendations
- Remediation and Mitigation
- Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the large
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Tenable
Focus on the Fundamentals: 6 Steps to Defend Against Ransomware
blogs_tenable·2021-07-21
Focus on the Fundamentals: 6 Steps to Defend Against Ransomware
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Management (CSPM)
Compliance
Cyber insurance
Data Security Posture Management (DSPM)
Google Cloud security
Infrastructure as Code (IaC) security
Kubernetes Security Pos
Trendmicro
Nefilim Ransomware Attack Through a MITRE Att&ck Lens
blogs_trendmicro·2021-06-28
Nefilim Ransomware Attack Through a MITRE Att&ck Lens
# Nefilim Ransomware Attack Through a MITRE Att&ck Lens
Follow the story of Company X as they suffer an attack from the notorious modern ransomware family, Nefilim, and their affiliates, to learn how you can better mitigate against the common tactic and techniques used in these attacks.
By: Trend Micro
2021/06/28
Read time: ( words)
Save to Folio
Nefilim is among a new breed of ransomware families that use advanced techniques for a more targeted and virulent attack. It is operated by a group that we track under the intrusion set "Water Roc". This group combines advanced techniques with legitimate tools to make them significantly harder to detect and respond before it is too late.
This allows them to remain undetected in the system for weeks, navigating across the environment to maxim
Trendmicro
Die doppelte Erpressungstaktik moderner Ransomware
blogs_trendmicro·2021-06-10
Die doppelte Erpressungstaktik moderner Ransomware
Ransomware
## Die doppelte Erpressungstaktik moderner Ransomware
Anhand einer ausführlichen Fallstudie der Nefilim-Ransomware-Familie zeigen wir, wie moderne Ransomware-Akteure gezielte Techniken einsetzen und welche Organisationen im Fadenkreuz dieser Angriffe stehen.
By: Trend Micro Jun 10, 2021 Read time: ( words)
Save to Folio
Originalartikel von Trend Micro
Ransomware stellt seit Jahren eine anhaltende Bedrohung dar, und sie entwickelt sich weiter. Die breite Einführung fortschrittlicher Cybersicherheitstechnologien und verbesserte Ransomware-Reaktionsprozesse haben den Erfolg traditioneller Erpressungsangriffe eingedämmt. Deshalb entwickeln die Cyberkriminellen ihre Strategien weiter. Anhand einer ausführlichen Fallstudie der Nefilim-Ransomware-Familie zeigen wir, wie moderne R
Qualys
Nefilim Ransomware
blogs_qualys·2021-05-12·CVSS 9.8
[CRITICAL] Nefilim Ransomware
## Table of Contents
About Nefilim Ransomware
Technical Details
High-Profile Attacks Taking a Toll
Mitigation or Additional Important Safety Measures
Nefilim TTP Map
Indicators of Compromise (IOCs)
References
Over the past year there has been a rise in extortion malware that focuses on stealing sensitive data and threatening to publish the data unless a ransom is paid. This technique bypasses some of the mitigations put in place, such as backups, which would allow IT organizations to recover data without having to pay such a ransom. One of the more popular ransomware families over the last few months to switch to this extortion tactic was Nefilim.
## About Nefilim Ransomware
Nefilim ransomware emerged in March 2020 when Nemty operators quit the ransomware as a service model to co
Qualys
Nefilim Ransomware: Tactics, Impact, and Mitigation Strategies | Qualys
blogs_qualys·2021-05-12·CVSS 9.8
[CRITICAL] Nefilim Ransomware: Tactics, Impact, and Mitigation Strategies | Qualys
#### Table of Contents
- About Nefilim Ransomware
- Technical Details
- High-Profile Attacks Taking a Toll
- Mitigation or Additional Important Safety Measures
- Nefilim TTP Map
- Indicators of Compromise (IOCs)
- References
Over the past year there has been a rise in extortion malware that focuses on stealing sensitive data and threatening to publish the data unless a ransom is paid. This technique bypasses some of the mitigations put in place, such as backups, which would allow IT organizations to recover data without having to pay such a ransom. One of the more popular ransomware families over the last few months to switch to this extortion tactic was Nefilim.
## About Nefilim Ransomware
Nefilim ransomware emerged in March 2020 when Nemty operators quit the ransomware as a service m
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyberbedrohungen
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabili
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay 2021/04/28 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilities
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Minacce cyber
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Ciberamenazas
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
# How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay
2021/04/28
Read time: ( words)
Save to Folio
Photo credit: pxhere
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands o
Checkpoint
19th April – Threat Intelligence Report
blogs_checkpoint·2021-04-19·CVSS 9.8
CVE-2018-13379 [CRITICAL] 19th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th April, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The U.S National Security Agency (NSA), the Cybersecurity and infrastructure security agency (CISA), and the Federal Bureau of Investigation (FBI) have published a joint advisory warning that a Russia-linked APT group, APT25, is exploiting five vulnerabilities in an ongoing attack against U.S targets.
Check Point IPS provide
Talos
Threat Advisory: NSA SVR Advisory Coverage
blogs_talos·2021-04-15·CVSS 9.1
[CRITICAL] Threat Advisory: NSA SVR Advisory Coverage
## Threat Advisory: NSA SVR Advisory Coverage
The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.
The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities
Talos
Threat Advisory: NSA SVR Advisory Coverage
blogs_talos·2021-04-15·CVSS 9.1
[CRITICAL] Threat Advisory: NSA SVR Advisory Coverage
The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.
The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL. This means
Tenable
Healthcare Security: Ransomware Plays a Prominent Role in COVID-19 Era Breaches
blogs_tenable·2021-03-10
Healthcare Security: Ransomware Plays a Prominent Role in COVID-19 Era Breaches
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2021-21972: VMware vCenter Server Remote Code Execution Vulnerability
blogs_tenable·2021-02-24·CVSS 9.8
[CRITICAL] CVE-2021-21972: VMware vCenter Server Remote Code Execution Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
An Analysis of the Nefilim Ransomware
blogs_trendmicro·2021-02-23·CVSS 9.8
[CRITICAL] An Analysis of the Nefilim Ransomware
Ransomware
# An Analysis of the Nefilim Ransomware
Nefilim is known for its double extortion capabilities and notable attacks in 2020. We give an overview of its techniques and tools in this entry.
By: Janus Agcaoili, Byron Gelera
2021/02/23
Read time: ( words)
Save to Folio
Nefilim is among the notable ransomware variants that use double extortion tactics in their campaigns. First discovered in March 2020, Nefilim threatens to release victims’ stolen data to coerce them into paying the ransom. Aside from its use of this tactic, another notable characteristic of Nefilim is its similarity to Nemty; in fact, it is believed to be an evolved version of the older ransomware.
We provide a brief analysis of this active ransomware and how to defend systems against it.
Technical Details
In
Tenable
CVE-2021-20016: Zero-Day Vulnerability in SonicWall Secure Mobile Access (SMA) Exploited in the Wild
blogs_tenable·2021-02-04·CVSS 9.8
[CRITICAL] CVE-2021-20016: Zero-Day Vulnerability in SonicWall Secure Mobile Access (SMA) Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: FireEye Red Team Tool Breach
Unit 42
Published: December 10, 2020
High Profile Threats
Malware
Vulnerabilities
FireEye breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls and mitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our customers are protected if the attackers choose to utilize the tools for malicious purposes.
It i
Fortinet
FireEye Red Team Tool Breach | Fortinet
blogs_fortinet·2020-12-11·CVSS 8.8
[HIGH] FireEye Red Team Tool Breach | Fortinet
PSIRT BLOGS
FireEye Red Team Tool Breach
By Carl Windsor | December 11, 2020
Executive Summary
On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.
This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.
Threat Mitigation
None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
Update Jan 5, 2021 : New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020 : Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
Active Attacks
Solorigate Sunburst ( New RTI )
Original post : On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the securit
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
Update Jan 5, 2021: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020: Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
- Active Attacks
- Solorigate Sunburst (New RTI)
Original post: On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security
Zscaler
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
blogs_zscaler·2020-12-09
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
blogs_tenable·2020-10-23
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities | Qualys
blogs_qualys·2020-10-22·CVSS 9.8
CVE-2020-15505 [CRITICAL] NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities | Qualys
#### Table of Contents
- Detect 25 Publicly Known Vulnerabilities using VMDR
Update November 25, 2020: The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).
Original post: On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and
mitigation efforts,” said the NSA advisory. It also recommended “crit
Qualys
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
blogs_qualys·2020-10-22·CVSS 10.0
CVE-2020-15505 [CRITICAL] NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
## Table of Contents
Detect 25 Publicly Known Vulnerabilities using VMDR
Update November 25, 2020 : The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).
Original post : On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts,” said the NSA advisory. It also recommended “critic
Tenable
CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability
blogs_tenable·2020-10-15·CVSS 9.8
[CRITICAL] CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
blogs_tenable·2020-10-12·CVSS 5.5
[MEDIUM] CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
29th September – Threat Intelligence Bulletin
blogs_checkpoint·2020-09-29·CVSS 10.0
CVE-2020-1472 [CRITICAL] 29th September – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th September – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 29th September 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Following last week’s emergency directive issued by CISA, Microsoft has warned that attackers are actively exploiting the critical Zerologon vulnerability (CVE-2020-1472) to attack Microsoft Windows servers using publicly available PoC exploits.
Check Point IPS blade provides protection against this threat (Mi
Tenable
US Cybersecurity Agency CISA Alert: Foreign Threat Actors Continue to Target Unpatched Vulnerabilities
blogs_tenable·2020-09-17
US Cybersecurity Agency CISA Alert: Foreign Threat Actors Continue to Target Unpatched Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Threat Research Center
Threat Research
Vulnerabilities
## The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Jay Chen
Published: August 26, 2020
Threat Research
Vulnerabilities
Exploit
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly availabl
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly available exploits in Exploit Database at the time of this writing. The research correlated the exploit data with vulnerability and patch information to study exploit development in multiple facets.
The research reveals that:
-
Securelist
Incident Response Analyst Report of 2019
blogs_securelist·2020-08-06
Incident Response Analyst Report of 2019
Table of Contents
- Executive summary
- Recommendations
- Reasons for incident response
- Distribution of reasons for top regions
- Distribution of reasons for industries
- Initial vectors or how adversaries get in
- Tools and exploits
- Attack duration
- Operational metrics
- How fast we responded
- How long response took
- MITRE ATT&CK tactics and techniques
- Conclusion
Authors
- Ayman Shaaban
- Grigory Sablin
- Kaspersky GERT
Download full report (PDF)
As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries’ cyber-incident tactics and techniques used in the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights,
Securelist
Incident Response Analyst Report 2019
blogs_securelist·2020-08-06
Incident Response Analyst Report 2019
Table of Contents
Executive summary
Verticals and industries
Recommendations
Reasons for incident response
Distribution of reasons for top regions
Distribution of reasons for industries
Initial vectors or how adversaries get in
Tools and exploits
30% of all incidents were tied to legitimate tools
Exploits
Attack duration
Operational metrics
False positives rate
Age of attack
How fast we responded
How long response took
MITRE ATT&CK tactics and techniques
Conclusion
Authors
Ayman Shaaban
Grigory Sablin
Kaspersky GERT
Download full report (PDF)
As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries’ cyber-incident tactics and techniques used in the wild. In this report, we share our teams’ conclus
Tenable
CVE-2020-3452: Cisco Adaptive Security Appliance and Firepower Threat Defense Path Traversal Vulnerability
blogs_tenable·2020-07-23·CVSS 7.5
[HIGH] CVE-2020-3452: Cisco Adaptive Security Appliance and Firepower Threat Defense Path Traversal Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Copy-Paste Compromises: Threat Actors Target Telerik UI, Citrix, and SharePoint Vulnerabilities (CVE-2019-18935)
blogs_tenable·2020-07-22·CVSS 9.8
[CRITICAL] Copy-Paste Compromises: Threat Actors Target Telerik UI, Citrix, and SharePoint Vulnerabilities (CVE-2019-18935)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-5902: Critical Vulnerability in F5 BIG-IP Traffic Management User Interface (TMUI) Actively Exploited
blogs_tenable·2020-07-06·CVSS 9.8
[CRITICAL] CVE-2020-5902: Critical Vulnerability in F5 BIG-IP Traffic Management User Interface (TMUI) Actively Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
blogs_tenable·2020-06-29·CVSS 10.0
[CRITICAL] CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Zscaler
Targeted attacks on Australian Networks | Zscaler Blog
blogs_zscaler·2020-06-18·CVSS 9.8
[CRITICAL] Targeted attacks on Australian Networks | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Talos
Quarterly report: Incident Response trends in Summer 2020
blogs_talos·2020-06-15
Quarterly report: Incident Response trends in Summer 2020
By David Liebenberg and Caitlin Huey.
For the fourth quarter in a row, Ryuk dominated the threat landscape in incident response. As we mentioned in last quarter’s report, Ryuk has shifted from relying on commodity trojans to using living-off-the-land tools. This has led to a decrease in observations of attacks leveraging commodity trojans. Email remained the top infection vector, though we observe increased compromises of remote desktop services (RDS) as well as Citrix devices and Pulse VPN. One of the more interesting trends this quarter was the role of the COVID-19 pandemic. Interestingly, we did not observe any engagements in which COVID-19 was used in an attack. However, CTIR has observed the pandemic impacting organizations, affecting their ability to respond and contain cybersecurit
Checkpoint
8th June – Threat Intelligence Bulletin
blogs_checkpoint·2020-06-08·CVSS 9.8
CVE-2019-19781 [CRITICAL] 8th June – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th June – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 8th June 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Westech , a US military missile contractor, has been hit by the Maze ransomware after threat actors compromised its network and stole confidential documents from it. It is suspected that the hackers are of Russian origin, and that they may attempt to sell the stolen data to a foreign state.
Check Point SandBlast and Anti-
Unit42
APT41 Using New Speculoos Backdoor to Target Organizations Globally
blogs_unit42·2020-04-14·CVSS 9.8
CVE-2019-19781 [CRITICAL] APT41 Using New Speculoos Backdoor to Target Organizations Globally
Threat Research Center
Threat Research
Malware
## APT41 Using New Speculoos Backdoor to Target Organizations Globally
Bryan Lee
Robert Falcone
Jen Miller-Osborn
Published: April 13, 2020
Malware
Threat Research
APT41
Citrix
CVE-2019-19781
Espionage
FreeBSD
Speculoos
## Executive Summary
On March 25, 2020, FireEye published a research blog regarding a global attack campaign operated by an espionage motivated adversary group known as APT41. This attack campaign was thought to have operated between January 20 and March 11, specifically targeting Citrix, Cisco, and Zoho network appliances via exploitation of recently disclosed vulnerabilities. Based on WildFire and AutoFocus data available to Unit 42, we were able to obtain samples of the payload targeting Citrix appliance
Unit42
APT41 Using New Speculoos Backdoor to Target Organizations Globally
blogs_unit42·2020-04-14·CVSS 9.8
[CRITICAL] APT41 Using New Speculoos Backdoor to Target Organizations Globally
## Executive Summary
On March 25, 2020, FireEye published a research blog regarding a global attack campaign operated by an espionage motivated adversary group known as APT41. This attack campaign was thought to have operated between January 20 and March 11, specifically targeting Citrix, Cisco, and Zoho network appliances via exploitation of recently disclosed vulnerabilities. Based on WildFire and AutoFocus data available to Unit 42, we were able to obtain samples of the payload targeting Citrix appliances, which were executables compiled to run on FreeBSD. We also used this data to identify multiple victims in industries such as healthcare, higher education, manufacturing, government and technology services in multiple regions around the world, such as North America, South America, and
Talos
Quarterly Report: Incident Response trends in Spring 2020
blogs_talos·2020-04-13·CVSS 9.8
[CRITICAL] Quarterly Report: Incident Response trends in Spring 2020
By David Liebenberg.
Cisco Talos Incident Response (CTIR) engagements continue to be dominated by ransomware and commodity trojans. As alluded to in last quarter’s report, ransomware actors have begun threatening to release sensitive information from victims as a means of further compelling them to pay. Additionally, DDoS and coinminer threats reemerged in spring 2020 after absences in the previous quarter. Looking at information from November 2019 through January 2020, ransomware maintains its status as the most prevalent threat, and CTIR has observed some changes in the top ransomware offender — Ryuk.
### Targeting A wide variety of verticals were once again targeted, including energy and utilities, wholesale and distribution, sports betting, transportation, healthcare, government, manu
Talos
Quarterly Report: Incident Response trends in Spring 2020
blogs_talos·2020-04-13·CVSS 9.8
[CRITICAL] Quarterly Report: Incident Response trends in Spring 2020
## Quarterly Report: Incident Response trends in Spring 2020
By David Liebenberg . Cisco Talos Incident Response (CTIR) engagements continue to be dominated by ransomware and commodity trojans. As alluded to in last quarter’s report , ransomware actors have begun threatening to release sensitive information from victims as a means of further compelling them to pay. Additionally, DDoS and coinminer threats reemerged in spring 2020 after absences in the previous quarter. Looking at information from November 2019 through January 2020, ransomware maintains its status as the most prevalent threat, and CTIR has observed some changes in the top ransomware offender — Ryuk.
## Targeting A wide variety of verticals were once again targeted, including energy and utilities, wholesale and distributio
Tenable
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
blogs_tenable·2020-04-13
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Management (CSPM)
Compliance
Cyber insurance
Data Security Posture Management (DSPM)
Google Cloud security
Infrastructure as Code (IaC) security
Kubernetes Security Pos
Tenable
How COVID-19 Response Is Expanding the Cyberattack Surface
blogs_tenable·2020-03-30
How COVID-19 Response Is Expanding the Cyberattack Surface
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
March 2nd – Threat Intelligence Bulletin
blogs_checkpoint·2020-03-02·CVSS 9.8
CVE-2019-19781 [CRITICAL] March 2nd – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## March 2nd – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of March 2nd 2020, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREA
Krebs
Hackers Were Inside Citrix for Five Months
blogs_krebs·2020-02-19
Hackers Were Inside Citrix for Five Months
Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.
Citrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection.
In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercrim
Krebs
Hackers Were Inside Citrix for Five Months
blogs_krebs·2020-02-19
Hackers Were Inside Citrix for Five Months
Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.
Citrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection.
In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercrim
Checkpoint
3rd February – Threat Intelligence Bulletin
blogs_checkpoint·2020-02-03·CVSS 9.8
CVE-2019-19871 [CRITICAL] 3rd February – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 3rd February – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 3rd February 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Crooks are exploiting the global panic concerning the outbreak of the Coronavirus to infect Japanese users with Emotet through emails pretending to be a notice regarding infection prevention measures.
Check Point SandBlast and Anti-Bot blades provide protection against this threat (Trojan.Win32.Emotet)
The Japane
Talos
Threat Source newsletter (Jan. 30, 2020)
blogs_talos·2020-01-30
Threat Source newsletter (Jan. 30, 2020)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Be sure to pay close attention Tuesday for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.
And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
### Upcoming public engagements
Event: A World of Threats: When DNS becomes the new weapon for governments at Swiss Cyber Security Days
Location: Forum Fribourg, Granges-Paccot, Switzerland
Date: Feb. 12 - 13
Speakers: Paul Rascagnères
Synopsis: In this presen
Talos
Threat Source newsletter (Jan. 30, 2020)
blogs_talos·2020-01-30
Threat Source newsletter (Jan. 30, 2020)
## Threat Source newsletter (Jan. 30, 2020)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Be sure to pay close attention Tuesday for some changes we have coming to Snort.org . We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.
And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
## Upcoming public engagements
Event: A World of Threats: When DNS becomes the new weapon for governments at Swiss Cyber Security Days Location: Forum Fribourg, Granges-Paccot, Switzerland Date: Feb. 12 - 13 Speake
Checkpoint
27th January – Threat Intelligence Bulletin
blogs_checkpoint·2020-01-27
CVE-2019-18187 27th January – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th January – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 20th January 2020, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
UN calls for an investigation on Saudi Arabia’s role in amazon CEO Jeff Bezos’s phone hack. The alleged attack was carried via WhatsApp. Bezos was sent a video in 2018 by Saudi Arabia’s crown prince, Mohammed bin Salman, and apparently was infected at that time. Speculations point to NSO as the possible provider of t
Checkpoint
20th January – Threat Intelligence Bulletin
blogs_checkpoint·2020-01-20
CVE-2020-0601 20th January – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th January – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 20th January 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Hackers have stolen personal information in an attack on the Australian P&N bank. The attack focused on the bank’s CRM system that stored a great deal of sensitive personal and financial information. Australia has also experienced a data breach of a bushfire donation site – Hackers abused the outdated Magneto CMS u
Tenable
CVE-2019-19781: Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation While Patches are Still Not Available
blogs_tenable·2020-01-17·CVSS 9.8
[CRITICAL] CVE-2019-19781: Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation While Patches are Still Not Available
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781
blogs_unit42·2020-01-16·CVSS 9.8
CVE-2019-19781 [CRITICAL] Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781
Yue Guan
Qi Deng
Zhibin Zhang
Siddhart Shibiraj
Zhanhao Chen
Cecilia Hu
John Harrison
Published: January 16, 2020
Threat Research
Vulnerabilities
Citrix
CVE-2019-19781
Proof of Concept
Remote Code Execution
## Executive Summary
Just before the holidays, a vulnerability was identified in Citrix Application Delivery Controller (ADC) and Citrix Gateway which allowed remote attackers to easily send directory traversal requests, read sensitive information from system configuration files without the need for user authentication and remotely execute arbitrary code. This vulnerability affects all supported product v
Unit42
Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781
blogs_unit42·2020-01-16·CVSS 9.8
CVE-2019-19781 [CRITICAL] Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781
# Executive Summary
Just before the holidays, a vulnerability was identified in Citrix Application Delivery Controller (ADC) and Citrix Gateway which allowed remote attackers to easily send directory traversal requests, read sensitive information from system configuration files without the need for user authentication and remotely execute arbitrary code. This vulnerability affects all supported product versions and all supported platforms:
• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported build
Talos
New Snort rules protect against recently discovered Citrix vulnerability
blogs_talos·2020-01-13·CVSS 9.8
CVE-2019-19781 [CRITICAL] New Snort rules protect against recently discovered Citrix vulnerability
By Edmund Brumaghin, with contributions from Dalton Schaadt.
## Executive SummaryRecently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked usingCVE-2019-19781. A public patch has not yet been released, however, Citrix hasreleasedrecommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems.This vulnerability, which is a directory traversal vulnerability, affects multipleversionsof these products. Since the public disclosure of this vulnerability, several proof-of-concept (Po
Checkpoint
13th January – Threat Intelligence Bulletin
blogs_checkpoint·2020-01-13·CVSS 7.8
CVE-2019-2215 [HIGH] 13th January – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th January – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 13th January 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Austria’s foreign ministry has suffered a serious cyber-attack, allegedly conducted by a foreign state.
US government-funded low-cost UMX mobile phones include preinstalled “unremovable” malware. The malware, a variant of HiddenAds, is suspected to be of Chinese origin, as is the UMX phone itself.
Three malicious
Talos
New Snort rules protect against recently discovered Citrix vulnerability
blogs_talos·2020-01-13·CVSS 9.8
CVE-2019-19781 [CRITICAL] New Snort rules protect against recently discovered Citrix vulnerability
## New Snort rules protect against recently discovered Citrix vulnerability
By Edmund Brumaghin , with contributions from Dalton Schaadt.
## Executive Summary Recently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using CVE-2019-19781 . A public patch has not yet been released, however, Citrix has released recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems. This vulnerability, which is a directory traversal vulnerability, affects multiple versions of these pro
Tenable
CVE-2019-19781: Exploit Scripts for Remote Code Execution Vulnerability in Citrix ADC and Gateway Available
blogs_tenable·2020-01-10·CVSS 9.8
[CRITICAL] CVE-2019-19781: Exploit Scripts for Remote Code Execution Vulnerability in Citrix ADC and Gateway Available
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)
blogs_qualys·2020-01-09·CVSS 9.8
CVE-2019-19781 [CRITICAL] Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)
Update January 17, 2020 : A new detection in Qualys Web Application Scanning was added. See “Detecting with Qualys WAS” below.
Citrix released a security advisory ( CVE-2019-19781 ) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.
During the week of January 13, attacks on Citrix appliances have intensified . Because of the active attacks and the ease of exploitation, organizations are advised to pay close attention.
## About CVE-2019-19781
The vulnerability affects all supported versions of Citrix ADC an
Qualys
Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781) | Qualys
blogs_qualys·2020-01-09·CVSS 9.8
CVE-2019-19781 [CRITICAL] Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781) | Qualys
Update January 17, 2020: A new detection in Qualys Web Application Scanning was added. See “Detecting with Qualys WAS” below.
Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.
During the week of January 13, attacks on Citrix appliances have intensified. Because of the active attacks and the ease of exploitation, organizations are advised to pay close attention.
### About CVE-2019-19781
The vulnerability affects all supported versions of Citrix ADC and C
Checkpoint
30th December – Threat Intelligence Bulletin
blogs_checkpoint·2019-12-30
CVE-2019-19781 30th December – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 30th December – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 30th December 2019, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point researchers have detected a phishing campaign impersonating the royal bank of Canada and other Canadian banks. The attack contained emails sent to targeted customers that use look-alike domains to appear genuine. The emails included pdf attachments, with links to phishing websites that asked for the v
Tenable
CVE-2019-19781: Unauthenticated Remote Code Execution Vulnerability in Citrix ADCs and Gateways
blogs_tenable·2019-12-23·CVSS 9.8
[CRITICAL] CVE-2019-19781: Unauthenticated Remote Code Execution Vulnerability in Citrix ADCs and Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Recorded Future
Patterns and Targets for Ransomware Exploitation of Vulnerabilities: 2017–2023
blogs_recorded_future
Patterns and Targets for Ransomware Exploitation of Vulnerabilities: 2017–2023
# Patterns and Targets for Ransomware Exploitation of Vulnerabilities: 2017–2023
Recent Insikt research analyzes ransomware and vulnerability trends spanning the past six years and offers insights into future expectations.
Ransomware groups exploit vulnerabilities in two distinct categories: those targeted by only a few groups and those widely exploited by several. Each category necessitates different defense strategies. Groups targeting specific vulnerabilities tend to follow particular patterns, enabling companies to prioritize defenses and audits. To defend against unique exploitation, understanding the likely targets and vulnerability types is crucial.
Diagram showing the number of ransomware groups that have been associated with vulnerability exploitation in the last five years. By
Threat Intel
APT29 (APT29, IRON RITUAL, IRON HEMLOCK)
threat_intel
APT29 (APT29, IRON RITUAL, IRON HEMLOCK)
# Threat Actor Profile: APT29
ATT&CK ID: G0016
Also known as: APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard
Suspected origin: Russia
## Overview
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DN
Recorded Future
Patterns and Targets for Ransomware Exploitation of Vulnerabilities: 2017–2023
blogs_recorded_future
Patterns and Targets for Ransomware Exploitation of Vulnerabilities: 2017–2023
## Patterns and Targets for Ransomware Exploitation of Vulnerabilities: 2017–2023
Recent Insikt research analyzes ransomware and vulnerability trends spanning the past six years and offers insights into future expectations.
Ransomware groups exploit vulnerabilities in two distinct categories: those targeted by only a few groups and those widely exploited by several. Each category necessitates different defense strategies. Groups targeting specific vulnerabilities tend to follow particular patterns, enabling companies to prioritize defenses and audits. To defend against unique exploitation, understanding the likely targets and vulnerability types is crucial.
Widely exploited vulnerabilities are found in commonly used enterprise software and are easily exploited through various means like
Threat Intel
APT41 (APT41, Wicked Panda, Brass Typhoon)
threat_intel
APT41 (APT41, Wicked Panda, Brass Typhoon)
# Threat Actor Profile: APT41
ATT&CK ID: G0096
Also known as: APT41, Wicked Panda, Brass Typhoon, BARIUM
Suspected origin: China
## Overview
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 202
Recorded Future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
blogs_recorded_future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
# Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
In response to the COVID-19 pandemic, many organizations have shifted to working from home for the foreseeable future — this means that organizations will have a largely (or entirely) remote workforce for the first time.
This creates a situation that is ripe for cybercriminals and nation-state actors to exploit. As we have observed with the rapid adoption of COVID-19-themed scams and attacks against the Olympics, threat actors — both nation-state and cybercriminal — are quick to exploit new and evolving situations.
For security teams, the sudden change in an organization’s network topology means a vastly expanded attack surface with little time to adapt to the new reality. For employees, generally,
Sentinelone
NetWalker
blogs_sentinelone·CVSS 10.0
[CRITICAL] NetWalker
# NetWalker Ransomware: In-Depth Analysis, Detection, Mitigation, and Removal
## Summary of NetWalker Ransomware
NetWalker ransomware, also known as Mailto, was first seen in mid-2019. It started out as a private service, but eventually switched to a Ransomware-as-a-Service model, which made it more accessible. During the pandemic, NetWalker was especially known for targeting medical and healthcare facilities. It also uses double extortion tactics, asking for payment for a decryptor as well as a promise not to release any stolen data.
## What Does NetWalker Ransomware Target?
NetWalker ransomware has impacted a wide range of victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. The healthcare sector h
Sentinelone
REvil
blogs_sentinelone
REvil
# REvil Ransomware: In-Depth Analysis, Detection, and Mitigation
As if ransomware itself wasn’t dangerous enough, a new type of attack involving ransomware is making waves in the cybersecurity community. Ransomware-as-a-Service (RaaS) operations are becoming more common and more profitable for threat actors looking to launch a variety of attacks. One such operation is known as REvil, and involved a core team of threat actors offering the malware to other attackers for a price.
Although the Russian Federal Security Service claims to have dismantled REvil and charged several of the ransomware group’s members, a deeper look at this type of ransomware and RaaS can help organizations protect themselves against these types of attacks in the future.
## What Is REvil Ransomware?
REvil ransomwa
Sentinelone
Maze
blogs_sentinelone
Maze
# Maze Ransomware: In-Depth Analysis, Detection, and Mitigation
Since its discovery in 2019, Maze ransomware has consistently made headlines due to its infamous attacks on MSPs and its ability move laterally to other networks. Although this particular strain of ransomware has been used to attack businesses and governmental organizations, its attacks on MSPs are worrying since a single compromise can create a cascade effect on the MSP’s clients, their business partners, and so on.
Maze was reportedly shut down in 2020, but there still exist numerous similar ransomware strains posing threats to businesses around the world today. A deeper understanding of Maze ransomware may help organizations strengthen their cybersecurity defenses against similar types of ransomware attacks in the future.
Recorded Future
Additional Entities Targeted by DarkSide Affiliate, TAG-21; Links to WellMess and Sliver Infrastructure
blogs_recorded_future
Additional Entities Targeted by DarkSide Affiliate, TAG-21; Links to WellMess and Sliver Infrastructure
## Additional Entities Targeted by DarkSide Affiliate, TAG-21; Links to WellMess and Sliver Infrastructure
## Executive Summary
In mid-May 2021, Insikt Group reported that a further 11 organizations were likely targeted by the same DarkSide affiliate that had compromised Colonial Pipeline. Substantial network communications matching a Recorded Future heuristic behavioral signature were observed on April 27 from 9 of these organizations to a Cobalt Strike command and control (C2) server (176.123.2[.]216) that was used in the operation to target Colonial Pipeline. Insikt Group tracks this ransomware-as-a-service (RaaS) affiliate and its activities internally as TAG-21.
In the two weeks after these organizations were first targeted, 5 of those 9 organizations were also communicating with s
Recorded Future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
blogs_recorded_future
Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
## Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface
In response to the COVID-19 pandemic, many organizations have shifted to working from home for the foreseeable future — this means that organizations will have a largely (or entirely) remote workforce for the first time.
This creates a situation that is ripe for cybercriminals and nation-state actors to exploit. As we have observed with the rapid adoption of COVID-19-themed scams and attacks against the Olympics , threat actors — both nation-state and cybercriminal — are quick to exploit new and evolving situations.
For security teams, the sudden change in an organization’s network topology means a vastly expanded attack surface with little time to adapt to the new reality. For employees, generally
Threat Intel
Dragonfly (Dragonfly, TEMP.Isotope, DYMALLOY)
threat_intel
Dragonfly (Dragonfly, TEMP.Isotope, DYMALLOY)
# Threat Actor Profile: Dragonfly
ATT&CK ID: G0035
Also known as: Dragonfly, TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE
Suspected origin: Russia
## Overview
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 201
Recorded Future
In Before The Lock: ESXi | Recorded Future
blogs_recorded_future
In Before The Lock: ESXi | Recorded Future
## In Before The Lock: ESXi
## Executive Summary
As organizations continue virtualizing their critical infrastructure and business systems, threat actors deploying ransomware have responded in kind. Between 2021 and 2022 we observed an approximately 3-fold increase in ransomware targeting ESXi , with offerings available from many groups including ALPHV, LockBit, and BlackBasta. We identified and described detection strategies for multiple TTPs that are often seen prior to the dropping of the ransomware payload in order to create detections and mitigations that are based on real-world, threat-actor use of these tools. In addition to providing tool-specific detections such as YARA and Sigma rules, we also identified detections for common enumeration, exploitation, and persistence technique
Recorded Future
Additional Entities Targeted by DarkSide Affiliate, TAG-21; Links to WellMess and Sliver Infrastructure
blogs_recorded_future
Additional Entities Targeted by DarkSide Affiliate, TAG-21; Links to WellMess and Sliver Infrastructure
# Additional Entities Targeted by DarkSide Affiliate, TAG-21; Links to WellMess and Sliver Infrastructure
### Executive Summary
In mid-May 2021, Insikt Group reported that a further 11 organizations were likely targeted by the same DarkSide affiliate that had compromised Colonial Pipeline. Substantial network communications matching a Recorded Future heuristic behavioral signature were observed on April 27 from 9 of these organizations to a Cobalt Strike command and control (C2) server (176.123.2[.]216) that was used in the operation to target Colonial Pipeline. Insikt Group tracks this ransomware-as-a-service (RaaS) affiliate and its activities internally as TAG-21.
In the two weeks after these organizations were first targeted, 5 of those 9 organizations were also communicating with s
Huntress
The Top Four CVEs Attackers Exploit | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] The Top Four CVEs Attackers Exploit | Huntress
While the move to remote work last year gave many of us comforts such as working in our pajamas and being 10 steps away from the fridge, it’s been a bit of a nightmare for those who work in cybersecurity.
The Institute for Security and Technology reports that in 2020, the victims of ransomware attacks paid $350M in ransom—a more than 300% increase over the previous year. By this year’s end, it’s predicted that cybercrime will cost the world $6 trillion. While cybercrime is a lucrative gig for hackers, it's expensive for the rest of us—and unfortunately, it's only getting worse with remote work.
In many ways, remote work has removed many of the security measures that organizations typically put in place to keep their data and networks secure. For example, corporate networks usually only a
Recorded Future
In Before The Lock: ESXi
blogs_recorded_future
In Before The Lock: ESXi
# In Before The Lock: ESXi
Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
## Executive Summary
As organizations continue virtualizing their critical infrastructure and business systems, threat actors deploying ransomware have responded in kind. Between 2021 and 2022 we observed an approximately 3-fold increase in ransomware targeting ESXi, with offerings available from many groups including ALPHV, LockBit, and BlackBasta. We identified and described detection strategies for multiple TTPs that are often seen prior to the dropping of the ransomware payload in order to create detections and mitigations that are based on real-world, threat-actor use of these tools. In addition to providing tool-speci
arXiv
Automated Attack Testflow Extraction from Cyber Threat Report using BERT for Contextual Analysis
arxiv_fulltext·2025-07-09
Automated Attack Testflow Extraction from Cyber Threat Report using BERT for Contextual Analysis
IEEEexample:BSTcontrol
Automated Attack Testflow Extraction from Cyber Threat Report using BERT for Contextual Analysis
Faissal Ahmadou1,
Sepehr Ghaffarzadegan1,
Boubakr Nour4,
Makan Pourzandi4,
Mourad Debbabi1,
Chadi Assi1
1Concordia University, Canada
4Ericsson Security Research, Canada
## Abstract
In the ever-evolving landscape of cybersecurity, the rapid identification and mitigation of Advanced Persistent Threats (APTs) is crucial. Security practitioners rely on detailed threat reports to understand the tactics, techniques, and procedures (TTPs) employed by attackers. However, manually extracting attack testflows from these reports requires elusive knowledge and is time-consuming and prone to errors.
This paper proposes , a novel solution leveraging language models ( BERT) and
arXiv
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
arxiv_fulltext·2025-02-16
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
Yuning Jiang
[email protected]
0000-0003-4791-8452
National University of Singapore
Singapore
Nay Oo
[email protected]
NCS Cyber Special Ops R&D
Singapore
Qiaoran Meng
[email protected]
National University of Singapore
Singapore
Hoon Wei Lim
[email protected]
NCS Cyber Special Ops R&D
Singapore
Biplab Sikdar
[email protected]
National University of Singapore
Singapore
Jiang et al.
## Abstract
As interconnected systems proliferate, safeguarding complex infrastructures against an escalating array of cyber threats has become an urgent challenge. The growing number of vulnerabilities, coupled with resource constraints, makes addressing every vulnerability impractical, thereby rende
http://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.htmlhttp://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.htmlhttps://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/https://forms.gle/eDf3DXZAv96oosfj6https://support.citrix.com/article/CTX267027https://twitter.com/bad_packets/status/1215431625766424576https://www.kb.cert.org/vuls/id/619785http://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.htmlhttp://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.htmlhttps://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/https://forms.gle/eDf3DXZAv96oosfj6https://support.citrix.com/article/CTX267027https://twitter.com/bad_packets/status/1215431625766424576https://www.kb.cert.org/vuls/id/619785https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-19781
2019-12-27
Published
2021-11-03
Added to CISA KEV
Exploited in the wild