Detecteam Blogs

  • Detecting the Cisco ASA RCE Exploitation 5500-X series attack?

    What Happened? Last week, Cisco announced a pair of powerful vulnerabilities giving remote command execution capability to adversaries targeting Cisco ASA and FTD products by exploiting Cisco ASA series 5512-X, 5515-X, 5525-X, 5545-X, 5555-X and 5585-X allowing both authentication bypass and complete appliance exploitation, earning a 9.9 CVSS score for one of the most widely…

  • Detecting Salesforce leaks after Salesloft Drift breach

    Summary Salesloft was breached in August, resulting in Drift marketing token re-use in Salesforce based on the popular Salesforce integration.  Drift collects quite a bit of information from prospects and customers alike, making the cache of that data gathered from token abuse very useful today as well as down the road. Since August 8th 2025,…

  • Scattered Spider: Detection Engineering Dilemma

    Scattered Spider is a rapidly emerging threat. As a native English-speaking group, it has quickly become a versatile adversary—ranging from data exfiltration to ransomware deployment. It is referenced in numerous analyses, including but not limited to those by CISA, ReliaQuest, AttackIQ, Unit 42, and Google Cloud. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320ahttps://reliaquest.com/blog/scattered-spider-attack-analysis-account-compromisehttps://www.attackiq.com/2025/05/29/emulating-scattered-spiderhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloudhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applicationshttps://www.tidalcyber.com/blog/scattered-spider-evolving-resilient-group-proves-need-for-constant-defender-vigilance Known Scattered Spider aliases are: 0ktapus, oktapus, UNC3944,…

  • Detecteam: The Crossroads of Security and Reality

    Meet Detecteam, your new favorite over-achiever in security detection. We’ve built an innovative pipeline for generating, validating, and deploying detections at scale—without the usual late-night log spelunking or YAML-induced existential dread. What if you could prove detection effectiveness — precision, coverage, and automation — in minutes, not months? Would you still settle for guesswork? We…

  • |

    Shadowpad, PlugX, China Chopper, Stowaway RAT

    TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In mid-Autumn 2021, Kaspersky experts uncovered a ShadowPad malware campaign targeting a national telecom company in Pakistan. The attack, presumed to have begun in winter 2021, exploited MS Exchange vulnerability (CVE-2021-26855) to install a Cobalt…

  • |

    GhostEmperor

    TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In August 2022, analysts uncovered a cyber attack on a government-run Indonesian company by the APT group GhostEmperor. Known since 2021, GhostEmperor specializes in cyberespionage across sectors, employing tactics such as phishing, software exploits, and…

  • |

    Atlassian Confluence Unauthenticated Remote Code Execution

    TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. Atlassian Confluence faces a critical security threat with an actively exploited unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The injection flaw enables unauthorized users to execute arbitrary code, affecting all versions…

  • |

    F5 Server Audit

    TLP TLP TLP CLEAR Author Sebastien Tricaud Summary This week, we share data from an actively exploited attack from the CISA Known Exploited Vulnerabilities Catalog. This is the /var/log/audit.log file from the F5 boxes which were compromised. A critical security advisory, CVE-2023-46747, reveals an unauthenticated remote code execution vulnerability in the BIG-IP Configuration utility. This…

End of content

End of content