CVE-2021-40539
published 2021-09-07CVE-2021-40539: Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
98.96%
99.9th percentile
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adselfservice_plus | < 6.1 | 6.1 |
| zohocorp | manageengine_adselfservice_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on creation of a kernel service named aswSP_ArPot2 pointing to aswArPot.sys in C:\windows\, used by attackers to disable AV products via DeviceIoControl with IOCTL 0x9988C094. ↗
- →Hunt for DeviceIoControl calls using IOCTL code 0x9988C094 against the aswSP_ArPot2 device handle, which is used to terminate security product processes in a loop. ↗
- →Detect use of netsh portproxy commands (netsh interface portproxy add v4tov4) as a living-off-the-land lateral movement technique associated with Insidious Taurus/Volt Typhoon post-exploitation of CVE-2021-40539. ↗
- →Monitor for creation or modification of the PortProxy registry key at HKLM\SYSTEM\ControlSet001\Services\PortProxy\v4tov4\tcp as an indicator of port-forwarding setup by threat actors post-exploitation. ↗
- →Alert on the presence of turnoff.bat (Trojan.BAT.TASKILL.AE) which is dropped by Trigona ransomware to terminate AV-related services and processes after initial access via CVE-2021-40539. ↗
- →Detect files with the ._locked extension or filenames prepended with 'available_for_trial' as indicators of Trigona ransomware encryption activity following CVE-2021-40539 exploitation. ↗
- →CVE-2021-40539 was patched in ADSelfService Plus build 6114; flag any instances running build 6113 or earlier as vulnerable to unauthenticated REST API authentication bypass leading to RCE. ↗
- ·The exact network traffic details for the CVE-2021-40539 exploitation chain in the AvosLocker incident were unavailable, so the precise CVE attribution was inferred from behavioral similarity to previously documented exploitation. ↗
- ·The Trigona ransomware hashes and IOCs listed are associated with post-exploitation payloads delivered after CVE-2021-40539 initial access, not the exploit itself; they may also be delivered via other initial access vectors. ↗
- ·The netsh portproxy and PortProxy registry key hunting queries may produce false positives as these techniques are also used by legitimate network administrators; results should be evaluated in context of other identified activity. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gww8-rh9f-5mjq: Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution
ghsa_unreviewed·2022-05-24
CVE-2021-40539 [CRITICAL] CWE-287 GHSA-gww8-rh9f-5mjq: Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
VulnCheck
Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-40539 [CRITICAL] CWE-55 Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
Affected: Zoho ManageEngine
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/alerts/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine-adselfservice; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2021-40539; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; https://www.microsoft.com/en-us/security/blog/2021/11/08/threat-actor-dev-03
CISA
Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-40539 [CRITICAL] CWE-55 Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
Vulnerability: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
Affected: Zoho ManageEngine
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-40539
Remediation Due Date: 2021-11-17
Suricata
ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)
suricata·2021-11-09·CVSS 9.8
CVE-2021-40539 [CRITICAL] ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; within:30; content:"|20|name=|22|Save|22|"; content:"filename=|22|"; pcre:"/^[^\x22]+\.jsp\x22/R"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034364; rev:2; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021
Suricata
ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)
suricata·2021-11-09·CVSS 9.8
CVE-2021-40539 [CRITICAL] ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/Connection"; http.request_body; content:"methodToCall=openSSLTool"; nocase; content:"+-providerclass"; fast_pattern; content:"+-providerpath"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034365; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Inter
Suricata
ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)
suricata·2021-11-09·CVSS 9.8
CVE-2021-40539 [CRITICAL] ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; within:30; content:"|20|name=|22|Save|22|"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034363; rev:2; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal,
Suricata
ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)
suricata·2021-11-09·CVSS 9.8
CVE-2021-40539 [CRITICAL] ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)
ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)"; flow:established,to_server; http.uri; content:"/./RestAPI/"; startswith; fast_pattern; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034362; rev:1; metadata:created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_A
Nuclei
Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-40539 [CRITICAL] Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution.
Template:
id: CVE-2021-40539
info:
name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
author: daffainfo,pdteam
severity: critical
description: Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the affected application.
remediation: Upgrade to ADSelfService
Metasploit
ManageEngine ADSelfService Plus CVE-2021-40539
metasploit·CVSS 9.8
CVE-2021-40539 [CRITICAL] ManageEngine ADSelfService Plus CVE-2021-40539
ManageEngine ADSelfService Plus CVE-2021-40539
This module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
Tenable
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
blogs_tenable·2024-11-19
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
blogs_unit42·2024-02-14
Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
Threat Research Center
High Profile Threats
Nation-State Cyberattacks
## Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
Unit 42
Published: February 14, 2024
High Profile Threats
Nation-State Cyberattacks
BRONZE SILHOUETTE
China
Dev-0391
Insidious Taurus
UNC3236
Vanguard Panda
Volt Typhoon
## Executive Summary
Insidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as People’s Republic of China (PRC) state-sponsored cyber actors. This group focuses on pre-positioning themselves within U.S. critical infrastructure IT networks, likely in preparation for disruptive or destructive cyberattacks in the event of a major crisis or conflict with the United States. During a
Unit42
Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
blogs_unit42·2024-02-14
Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
## Executive Summary
Insidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as People’s Republic of China (PRC) state-sponsored cyber actors. This group focuses on pre-positioning themselves within U.S. critical infrastructure IT networks, likely in preparation for disruptive or destructive cyberattacks in the event of a major crisis or conflict with the United States. During a hearing on Jan. 31, 2024, FBI director Christopher Wray told the U.S. House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party that Volt Typhoon was “the defining threat of our generation.”
The U.S. government, in collaboration with international government allies, has published two Joint Cybersecurity
Trendmicro
Trigona unter der Lupe
blogs_trendmicro·2023-11-30·CVSS 9.8
[CRITICAL] Trigona unter der Lupe
Ransomware
## Trigona unter der Lupe
Trigona ist zwar relativ neu, hat aber innerhalb des einen Jahres der Aktivitäten verschiedene Techniken erfolgreich eingesetzt. Die Flexibilität der Akteure lässt darauf schließen, dass die Gruppe immer wieder unter neuem Namen aktiv werden könnte.
By: Trend Micro Nov 30, 2023 Read time: ( words)
Save to Folio
Die Trigona -Ransomware tauchte im Oktober 2022 auf, und Trend Micro behielt sie zunächst als Water Ungaw im Visier. Die ersten Binärdateien der Ransomware wurden allerdings bereits im Juni letzten Jahres entdeckt. Die Gruppe gab an, ein lukratives Geschäft zu betreiben, globale Angriffe zu starten und für jeden erfolgreichen Angriff 20 bis 50 % der Einnahmen zu kassieren. Die Hintermänner kommunizierten Berichten zufolge auch mit Netzwerkzu
Qualys
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities | Qualys
blogs_qualys·2023-08-24
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities | Qualys
#### Table of Contents
- References
- Additional Contributor
A unified front against malicious cyber actors is climactic in the ever-evolving cybersecurity landscape. The joint Cybersecurity Advisory (CSA), a collaboration between leading cybersecurity agencies from the United States, Canada, United Kingdom, Australia, and New Zealand, is a critical guide to strengthen global cyber resilience. The agencies involved include the U.S.’s CISA, NSA, and FBI; Canada’s CCCS; U.K.’s NCSC-UK; Australia’s ACSC; and New Zealand’s NCSC-NZ and CERT NZ.
This collaboration among key cybersecurity agencies highlights the global nature of cybersecurity threats. Such cooperative efforts signify a unified perspective and highlight the need for shared intelligence and coordinated strategies. The realizatio
Qualys
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities
blogs_qualys·2023-08-24
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities
## Table of Contents
References
Additional Contributor
A unified front against malicious cyber actors is climactic in the ever-evolving cybersecurity landscape. The joint Cybersecurity Advisory (CSA), a collaboration between leading cybersecurity agencies from the United States, Canada, United Kingdom, Australia, and New Zealand, is a critical guide to strengthen global cyber resilience. The agencies involved include the U.S.’s CISA, NSA, and FBI; Canada’s CCCS; U.K.’s NCSC-UK; Australia’s ACSC; and New Zealand’s NCSC-NZ and CERT NZ.
This collaboration among key cybersecurity agencies highlights the global nature of cybersecurity threats. Such cooperative efforts signify a unified perspective and highlight the need for shared intelligence and coordinated strategies. The realization tha
Sentinelone
Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
blogs_sentinelone·2023-08-08·CVSS 9.1
[CRITICAL] Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
Leveraging known bugs and unpatched exploits continue to be an unyielding strategy for threat actors. Ranging from security bypasses and credential exposure to remote code execution, software vulnerabilities remain tools of the trade for cyber attackers looking for a way into lucrative systems.
While new flaws found in Active Directory and the MOVEit file transfer application along with those used in the AlienFox toolkit or recent IceFire ransomware campaigns have wreaked havoc this year, a number of existing vulnerabilities stand out from the rest in terms of how often they are abused to this day.
In this post, we delve into CISA’s latest round-up, which lists the top 12 most routinely exploited vulnerabilities of 2022 that continue to pose significant threats to enterprise businesses.
Sentinelone
Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
blogs_sentinelone·2023-08-08·CVSS 9.1
[CRITICAL] Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities
Leveraging known bugs and unpatched exploits continue to be an unyielding strategy for threat actors. Ranging from security bypasses and credential exposure to remote code execution, software vulnerabilities remain tools of the trade for cyber attackers looking for a way into lucrative systems.
While new flaws found in Active Directory and the MOVEit file transfer application along with those used in the AlienFox toolkit or recent IceFire ransomware campaigns have wreaked havoc this year, a number of existing vulnerabilities stand out from the rest in terms of how often they are abused to this day.
In this post, we delve into CISA’s latest round-up, which lists the top 12 most routinely exploited vulnerabilities of 2022 that continue to pose significant threats to enterprise businesses.
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
Trigona
blogs_sentinelone·2023-07-13
Trigona
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Trendmicro
An Overview of the Different Versions of the Trigona Ransomware
blogs_trendmicro·2023-06-23·CVSS 9.8
[CRITICAL] An Overview of the Different Versions of the Trigona Ransomware
Ransomware
## An Overview of the Different Versions of the Trigona Ransomware
The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their ransomware binaries.
By: Arianne Dela Cruz, Paul Pajares, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Nathaniel Morales 2023/06/23 Read time: ( words)
Save to Folio
The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their ra
Trendmicro
An Overview of the Different Versions of the Trigona Ransomware
blogs_trendmicro·2023-06-23·CVSS 9.8
[CRITICAL] An Overview of the Different Versions of the Trigona Ransomware
Ransomware
## An Overview of the Different Versions of the Trigona Ransomware
The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their ransomware binaries.
By: Arianne Dela Cruz, Paul Pajares, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Nathaniel Morales Jun 23, 2023 Read time: ( words)
Save to Folio
The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their
Trendmicro
An Overview of the Different Versions of the Trigona Ransomware
blogs_trendmicro·2023-06-23
An Overview of the Different Versions of the Trigona Ransomware
Ransomware
# An Overview of the Different Versions of the Trigona Ransomware
The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their ransomware binaries.
By: Arianne Dela Cruz, Paul Pajares, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Nathaniel Morales
2023/06/23
Read time: ( words)
Save to Folio
The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their ra
Huntress
Calm In The Storm: Reviewing Volt Typhoon
blogs_huntress·2023-06-08·CVSS 9.8
[CRITICAL] Calm In The Storm: Reviewing Volt Typhoon
Network owners, operators and defenders find themselves in an increasingly contentious and hostile space, with entities ranging from opportunistic criminal elements to state-directed organizations engaging in various types of computer network intrusion. Through the seemingly endless sequence of blogs, alerts and hyperbolic media reporting, stakeholders may find it increasingly difficult to discern a strong “signal” from intense background “noise.”
In this blog, we will explore recent disclosures concerning an actor referred to as “Volt Typhoon,” assessed to be linked by multiple sources to the People’s Republic of China (PRC). Through this discussion, we will examine how such strategic network intrusion activity can impact and inform organizations that may believe themselves outside the s
Tenable
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
blogs_tenable·2023-05-25
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
blogs_tenable·2023-01-05·CVSS 9.8
[CRITICAL] CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
12th December – Threat Intelligence Report
blogs_checkpoint·2022-12-12·CVSS 9.8
CVE-2021-40539 [CRITICAL] 12th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The company that holds the World Cup broadcasting rights for sub-Saharan Africa has suffered a series of cyberattacks since the beginning of the tournament, targeting one of its decoding servers.
The New York-based Metropolitan Opera has been a victim of a cyberattack that shut down their website, call center and box o
Qualys
NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
blogs_qualys·2022-10-07·CVSS 10.0
[CRITICAL] NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
## Table of Contents
Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
Identify Vulnerable Assets using Qualys Threat Protection
Recommendations & Mitigations
Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and I
Qualys
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
blogs_qualys·2022-10-07
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
#### Table of Contents
- Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
- Identify Vulnerable Assets using Qualys Threat Protection
- Recommendations & Mitigations
- Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurit
Tenable
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
blogs_tenable·2022-10-07
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
CVE-2017-5638 [CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Threat Research Center
Trend Reports
Vulnerabilities
## Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Unit 42
Published: July 21, 2022
Trend Reports
Vulnerabilities
Apache Log4j
CVE-2017-5638
CVE-2017-9841
CVE-2018-19986
CVE-2019-02320
CVE-2019-19597
CVE-2019-9082
CVE-2020-14882
CVE-2020-14883
CVE-2020-15505
CVE-2020-15506
CVE-2020-25078
CVE-2020-5902
CVE-2021-21315
CVE-2021-22986
CVE-2021-26855
CVE-2021-31805
CVE-2021-34473
CVE-2021-35464
CVE-2021-38647
CVE-2021-40438
CVE-2021-40539
CVE-2021-41773
CVE-2021-42013
CVE-2021-44228
CVE-2021-45046
CVE-2022-22963
CVE-2022-22965
Network security trends
Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are repo
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
[CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are reported every year, but not all are used by threat actors in real-world attacks. There are many reasons for this: a proof of concept (PoC) may not be available for attackers to weaponize, it may be too difficult to exploit the vulnerability, there may be a lack of accessible vulnerable software on the internet, or attackers may simply deem a vulnerability not worth exploiting due to low impact. Real-world defenders need real-world data on which vulnerabilities attackers are choosing to exploit – and where to focus protections.
In the 2022 Unit 42 Network Threat Trends Research Report, we’ve used data captured by the Palo Alto Networks Advanced Threat Prevention security service on Next-Generation Firewall and Prisma SASE from
Qualys
CISA Alert: Top 15 Routinely Exploited Vulnerabilities
blogs_qualys·2022-05-06·CVSS 10.0
[CRITICAL] CISA Alert: Top 15 Routinely Exploited Vulnerabilities
## Table of Contents
CISAs Top 15 Routinely Exploited Vulnerabilities of 2021
Highlights of Top Vulnerabilities Cited in CISA 2021 Report
Log4Shell Vulnerability
ProxyShell: Multiple Vulnerabilities
ProxyLogon: Multiple Vulnerabilities
How Can Qualys Help?
Getting Started
The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report’s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment.
The Cybersecurity & Infrastructure Security Agency (CISA) releases detailed alerts of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights in
Qualys
CISA Alert: Top 15 Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2022-05-06
CISA Alert: Top 15 Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- CISAs Top 15 Routinely Exploited Vulnerabilities of 2021
- Highlights of Top Vulnerabilities Cited in CISA 2021 Report
- Log4Shell Vulnerability
- ProxyShell: Multiple Vulnerabilities
- ProxyLogon: Multiple Vulnerabilities
- How Can Qualys Help?
- Getting Started
The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report’s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment.
The Cybersecurity & Infrastructure Security Agency (CISA) releases detailed alerts of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical i
Trendmicro
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
blogs_trendmicro·2022-05-02·CVSS 9.8
[CRITICAL] AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
Ransomware
# AvosLocker Ransomware Variant Abuses Driver File to Disable Antivirus, Scans for Log4shell
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
By: Christoper Ordonez, Alvin Nieto
2022/05/02
Read time: ( words)
Save to Folio
We found samples of AvosLocker ransomware that makes use of a legitimate driver file to disable antivirus solutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys). In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability Log4shell usin
Trendmicro
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
blogs_trendmicro·2022-05-02·CVSS 9.8
[CRITICAL] AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
Ransomware
## AvosLocker Ransomware Variant Abuses Driver File to Disable Antivirus, Scans for Log4shell
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
By: Christoper Ordonez, Alvin Nieto May 02, 2022 Read time: ( words)
Save to Folio
We found samples of AvosLocker ransomware that makes use of a legitimate driver file to disable antivirus solutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file ( asWarPot.sys ). In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability Log4shell
Trendmicro
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
blogs_trendmicro·2022-05-02·CVSS 9.8
[CRITICAL] AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
Ransomware
## AvosLocker Ransomware Variant Abuses Driver File to Disable Antivirus, Scans for Log4shell
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
By: Christoper Ordonez, Alvin Nieto 2022/05/02 Read time: ( words)
Save to Folio
We found samples of AvosLocker ransomware that makes use of a legitimate driver file to disable antivirus solutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file ( asWarPot.sys ). In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability Log4shell us
Trendmicro
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
blogs_trendmicro·2022-05-02·CVSS 9.8
[CRITICAL] AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
Ransomware
## AvosLocker Ransomware Variant Abuses Driver File to Disable Antivirus, Scans for Log4shell
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
By: Christoper Ordonez, Alvin Nieto May 02, 2022 Read time: ( words)
Save to Folio
We found samples of AvosLocker ransomware that makes use of a legitimate driver file to disable antivirus solutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file ( asWarPot.sys ). In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability Log4shell
Sentinelone
Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022
blogs_sentinelone·2022-04-28·CVSS 9.8
[CRITICAL] Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022
From remote code execution and privilege escalation to security bypasses and path traversal, software vulnerabilities are a threat actor’s stock-in-trade for initial access and compromise. In the past 12 months, we’ve seen a number of new flaws, including Log4Shell, ProxyShell, and ProxyLogon, being exploited in attacks against enterprises. These and other known bugs, some revealed as far back as 2017, continue to be routinely abused in environments where organizations have failed to properly inventory and patch. As CISA released its latest update on the most commonly exploited vulnerabilities, we take a look at each of the top 15 most routinely exploited bugs being used against businesses today.
## 1. Log4Shell (CVE-2021-44228)
Occupying top spot is the notorious flaw in the Apache Java
Sentinelone
Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022
blogs_sentinelone·2022-04-28·CVSS 9.8
[CRITICAL] Enterprise Security Essentials | Top 15 Most Routinely Exploited Vulnerabilities 2022
From remote code execution and privilege escalation to security bypasses and path traversal, software vulnerabilities are a threat actor’s stock-in-trade for initial access and compromise. In the past 12 months, we’ve seen a number of new flaws, including Log4Shell, ProxyShell, and ProxyLogon, being exploited in attacks against enterprises. These and other known bugs, some revealed as far back as 2017, continue to be routinely abused in environments where organizations have failed to properly inventory and patch. As CISA released its latest update on the most commonly exploited vulnerabilities, we take a look at each of the top 15 most routinely exploited bugs being used against businesses today .
## 1. Log4Shell (CVE-2021-44228)
Occupying top spot is the notorious flaw in the Apache Jav
Unit42
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
blogs_unit42·2022-02-24·CVSS 10.0
CVE-2021-28799 [CRITICAL] SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
Threat Research Center
Threat Research
Malware
## SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
Unit 42
Published: February 24, 2022
Malware
Threat Research
Vulnerabilities
Advanced Persistent Threat
Backdoor
CVE-2021-28799
CVE-2021-40539
CVE-2021-44077
TiltedTemple
Windows
## Executive Summary
Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology,
Unit42
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
blogs_unit42·2022-02-24·CVSS 9.8
CVE-2021-40539 [CRITICAL] SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
## Executive Summary
Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology, energy, healthcare, education, finance and defense industries. In conducting further analysis of this campaign, we identified another sophisticated tool being used to maintain persistence, which we call SockDetour.
A custom backdoor, SockDetour is designed to serve as a backup backdoor in case the primary one is removed. It is diffic
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Trendmicro
This Week in Security News - February 18, 2022
blogs_trendmicro·2022-02-18
This Week in Security News - February 18, 2022
Cyber Threats
# This Week in Security News - February 18, 2022
SMS PVA services' use of infected Android phones reveals flaws in SMS verification, and 'Russian state-sponsored cyber actors' cited in hacks of U.S. defense contractors
By: Jon Clay
2022/02/18
Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about how to criminals can misuse SMS PVA services to conduct fraud. Also, read about a recent alert from the Cybersecurity and Infrastructure Security Agency on ‘Russian state-sponsored’ cyber actors.
Read on:
SMS PVA Services' Use of Infected Android Phones Reveals Flaws in SMS Verification
There has been an increase in short message ser
Krebs
Red Cross Hack Linked to Iranian Influence Operation?
blogs_krebs·2022-02-16
Red Cross Hack Linked to Iranian Influence Operation?
A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.
On Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement. The ICRC said the hacked servers contained data relating to the organization’s Restoring Family Links services, which works to reconnect people separated by war, viole
Krebs
Red Cross Hack Linked to Iranian Influence Operation?
blogs_krebs·2022-02-16
Red Cross Hack Linked to Iranian Influence Operation?
A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.
On Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement . The ICRC said the hacked servers contained data relating to the organization’s Restoring Family Links services, which works to reconnect people separated by war, viol
Tenable
CVE-2021-44515: ZoHo Patches ManageEngine Zero-Day Exploited in the Wild
blogs_tenable·2021-12-06·CVSS 9.8
[CRITICAL] CVE-2021-44515: ZoHo Patches ManageEngine Zero-Day Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Unit42
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
blogs_unit42·2021-11-08
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
## Executive Summary
On Sept. 16, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. The alert explained that malicious actors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments; however, in the days that followed, we observed a second unrelated campaign carry out successful attacks against the same vulnerability.
As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, ex
Unit42
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
blogs_unit42·2021-11-08
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
Threat Research Center
Threat Research
Nation-State Cyberattacks
## Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
Robert Falcone
Jeff White
Peter Renals
Published: November 7, 2021
Nation-State Cyberattacks
Threat Research
Vulnerabilities
Advanced Persistent Threat
Backdoor
Credential Harvesting
Credential stealer
KdcSponge
ManageEngine
NGLite
TiltedTemple
Trojan
Zoho ManageEngine
## Executive Summary
On Sept. 16, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as
Checkpoint
13th September – Threat Intelligence Report
blogs_checkpoint·2021-09-13·CVSS 9.8
CVE-2018-13379 [CRITICAL] 13th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th September, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Mēris, a new distributed denial-of-service (DDos) botnet has broken a record with a 21.8 million requests-per-second attack on Russian internet company Yandex; 250,000 devices are assumed to be compromised.
MyRepublic, a Singaporean communications services company, has disclosed a data breach exposing government ID c
Sentinelone
Trigona
blogs_sentinelone
Trigona
# Trigona Ransomware: In-Depth Analysis, Detection, and Mitigation
## What Is Trigona Ransomware?
Trigona is a ransomware family that was first observed in June 2022. A multi-extortion group, Trigona hosts a public blog of victims as well as their stolen data. Their malware payloads have been observed on Windows and Linux, although the Windows version far precedes its Linux-based counterpart.
Trigona attempts to extort targeted victims with intimidating time requirements. Trigona victims are instructed, per an .HTA-format ransom note, to enter their unique key for specific instructions. Victims are then led to a TOR-based payment portal where the group prefers to accept Monero (XMR) payments. This portal can also be used to make payments or “support requests” to the attacker.
## What D
Huntress
Calm In The Storm: Reviewing Volt Typhoon | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] Calm In The Storm: Reviewing Volt Typhoon | Huntress
Network owners, operators and defenders find themselves in an increasingly contentious and hostile space, with entities ranging from opportunistic criminal elements to state-directed organizations engaging in various types of computer network intrusion. Through the seemingly endless sequence of blogs, alerts and hyperbolic media reporting, stakeholders may find it increasingly difficult to discern a strong “signal” from intense background “noise.”
In this blog, we will explore recent disclosures concerning an actor referred to as “Volt Typhoon,” assessed to be linked by multiple sources to the People’s Republic of China (PRC). Through this discussion, we will examine how such strategic network intrusion activity can impact and inform organizations that may believe themselves outside the s
arXiv
A Systematic Approach to Predict the Impact of Cybersecurity Vulnerabilities Using LLMs
arxiv_fulltext·2025-10-19
A Systematic Approach to Predict the Impact of Cybersecurity Vulnerabilities Using LLMs
plain
plain
@IEEEtitlepagestyle
\@oddfoot
\@evenfoot
*3mm [width=2cm]figures/CC-by.pdf
*2mm2.5mm
This work is licensed under a Creative Commons
Attribution 4.0 International (CC BY 4.0) license.
*-69pt
A Systematic Approach to Predict the Impact of Cybersecurity Vulnerabilities Using LLMs
Anders M H
Simula & University of Oslo
Oslo, Norway
[email protected]
Pierre Lison
Norwegian Computing Center
Oslo, Norway
[email protected]
Leon Moonen
Simula Research Laboratory
Oslo, Norway
[email protected]
## Abstract
Vulnerability databases, such as the National Vulnerability Database (NVD), offer detailed descriptions of Common Vulnerabilities and Exposures (CVEs),
but often lack information on their real-world impact, such as the tactics, techniques, and procedures (TTPs) that adv
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
arxiv_fulltext·2024-07-31
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath*
University of Adelaide, Australia
[email protected]
Hussain Ahmad* *Authors contributed equally to this work. Corresponding author.
University of Adelaide, Australia
[email protected]
Diksha Goel
CSIRO's Data61, Australia
[email protected]
3cmMuhammad Shuja Syed
3cmSLB, USA
[email protected]
Faheem Ullah
University of Adelaide, Australia
[email protected]
plain
## Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come w
http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.htmlhttps://www.manageengine.comhttps://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.htmlhttp://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.htmlhttps://www.manageengine.comhttps://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40539
2021-09-07
Published
2021-11-03
Added to CISA KEV
Exploited in the wild