What Happened? Last week, Cisco announced a pair of powerful vulnerabilities giving remote command execution capability to adversaries targeting Cisco ASA and FTD products by exploiting Cisco ASA series 5512-X, 5515-X, 5525-X, 5545-X, 5555-X and 5585-X allowing both authentication bypass and complete appliance exploitation, earning a 9.9 CVSS score for one of the most widely…
Summary Salesloft was breached in August, resulting in Drift marketing token re-use in Salesforce based on the popular Salesforce integration. Drift collects quite a bit of information from prospects and customers alike, making the cache of that data gathered from token abuse very useful today as well as down the road. Since August 8th 2025,…
Scattered Spider is a rapidly emerging threat. As a native English-speaking group, it has quickly become a versatile adversary—ranging from data exfiltration to ransomware deployment. It is referenced in numerous analyses, including but not limited to those by CISA, ReliaQuest, AttackIQ, Unit 42, and Google Cloud. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320ahttps://reliaquest.com/blog/scattered-spider-attack-analysis-account-compromisehttps://www.attackiq.com/2025/05/29/emulating-scattered-spiderhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloudhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applicationshttps://www.tidalcyber.com/blog/scattered-spider-evolving-resilient-group-proves-need-for-constant-defender-vigilance Known Scattered Spider aliases are: 0ktapus, oktapus, UNC3944,…
TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary In early November 2022, a targeted intrusion began via email, delivering an HTML file utilizing HTML smuggling. Previously relying on Excel macros, the threat actor adapted to Microsoft’s macro control updates. Upon opening the HTML, a disguised Adobe page prompted a ZIP download with a…
TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In mid-Autumn 2021, Kaspersky experts uncovered a ShadowPad malware campaign targeting a national telecom company in Pakistan. The attack, presumed to have begun in winter 2021, exploited MS Exchange vulnerability (CVE-2021-26855) to install a Cobalt…
TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In August 2022, analysts uncovered a cyber attack on a government-run Indonesian company by the APT group GhostEmperor. Known since 2021, GhostEmperor specializes in cyberespionage across sectors, employing tactics such as phishing, software exploits, and…
TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary In 2022, a targeted cyberattack employing the WebDav-O malware was identified against a Russian government agency. This malicious activity, linked to the CoughingDown group, spanned back to 2018 and targeted government entities in Belarus. The campaign involved the discovery of multiple WebDav-O variants, with observed…
TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. Atlassian Confluence faces a critical security threat with an actively exploited unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The injection flaw enables unauthorized users to execute arbitrary code, affecting all versions…
TLP TLP TLP CLEAR Author Sebastien Tricaud Summary This week, we share data from an actively exploited attack from the CISA Known Exploited Vulnerabilities Catalog. This is the /var/log/audit.log file from the F5 boxes which were compromised. A critical security advisory, CVE-2023-46747, reveals an unauthenticated remote code execution vulnerability in the BIG-IP Configuration utility. This…
TLP TLP TLP CLEAR Author Sebastien Tricaud Summary This scenario automates the download and installation of AnyDesk, a remote desktop software, on a Windows system. It begins by resolving the IP address of the AnyDesk download server through DNS resolution. Subsequently, it simulates a Windows environment for an HTTP request, fetches the AnyDesk.exe file from…
End of content
End of content
