Tag: RECONNAISSANCE

Zero-Day Vulnerability Suspected in Attacks on Fortinet Firewalls with Exposed Interfaces
Summary: A new cyber campaign has targeted Fortinet FortiGate firewall devices with exposed management interfaces, leading to unauthorized access and configuration changes. The attackers exploited vulnerabilities to create new accounts and establish SSL VPN access for lateral movement within compromised networks.

Threat Actor: Unknown | unknown Victim: Various organizations | various organizations

Key Point :

The campaign began in mid-November 2024, with attackers gaining unauthorized access to firewall management interfaces.…
Read More
Javascript Sample – Swift Transaction Report.js
This article discusses the analysis of a JavaScript file that initiates a series of behaviors including checking for Java installation, creating persistence, and dumping email addresses. The analysis includes both static and dynamic methods to uncover the malicious activities associated with the file. Affected: JavaScript, Java

Keypoints :

The analysis begins with a JavaScript file named “Swift Transaction Report.js”.…
Read More
CISA orders agencies to patch BeyondTrust bug exploited in attacks
Summary: CISA has identified a command injection vulnerability in BeyondTrust’s software as actively exploited, prompting U.S. federal agencies to secure their networks. The vulnerabilities were discovered following a breach that allowed attackers to steal an API key, leading to further compromises linked to Chinese state-backed hackers, Silk Typhoon.…
Read More
⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [13 January]
Summary: This week’s cybersecurity recap highlights critical vulnerabilities, ongoing exploits, and legal actions against threat actors, emphasizing the importance of proactive security measures. Staying informed about these threats and implementing protective strategies is essential for individuals and organizations alike.

Threat Actor: UNC5337 | UNC5337 Victim: Ivanti | Ivanti

Key Point :

A critical vulnerability in Ivanti Connect Secure appliances has been exploited as a zero-day, allowing for remote code execution.…
Read More
VulnNet: Internal – From Recon to Root
This article provides a detailed walkthrough of exploiting a vulnerable machine named VulnNet: Internal. The process includes initial reconnaissance, service enumeration, and privilege escalation to achieve root access. Key techniques utilized include Nmap scans, SMB and NFS enumeration, Redis exploitation, and TeamCity manipulation. Affected: VulnNet: Internal

Keypoints :

Initial reconnaissance performed using Nmap to identify open ports and services.…
Read More
The Most Active Threat Actors of Q1 2025: An In-Depth Analysis
In Q1 2025, various cyber threat actors, including state-sponsored groups and ransomware operators, have intensified their activities, targeting critical infrastructure and private entities globally. Notable groups include Volt Typhoon, Salt Typhoon, RansomHub, Andariel, and emerging hacktivist collectives. Organizations are urged to adopt robust defense strategies to mitigate these threats.…
Read More
Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls – Arctic Wolf
Arctic Wolf has observed a campaign targeting Fortinet FortiGate firewall devices that involves unauthorized logins, account creation, and configuration changes through management interfaces exposed on the public internet. The campaign is likely exploiting a zero-day vulnerability. Organizations are urged to disable public access to firewall management interfaces immediately.…
Read More
Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls – Arctic Wolf
Arctic Wolf has identified a campaign targeting Fortinet FortiGate firewall devices, where unauthorized administrative access was gained through exposed management interfaces. The attackers created new accounts, altered configurations, and exploited a potential zero-day vulnerability. Organizations are urged to disable public access to firewall management interfaces immediately.…
Read More
Treasury hackers also breached US foreign investments review office
Summary: Silk Typhoon, a Chinese state-backed hacking group, has breached multiple offices within the U.S. Treasury Department, targeting systems that review foreign investments and administer sanctions. The attackers aimed to gather intelligence on potential sanctions against Chinese entities by exploiting a stolen API key.

Threat Actor: Silk Typhoon | Silk Typhoon Victim: U.S.…

Read More
Unmasking Play Ransomware: Tactics, Techniques, and Mitigation Strategies
Summary: The Play ransomware, linked to the North Korean Andariel group, employs sophisticated techniques during the lateral movement phase of attacks, exploiting vulnerabilities and leveraging legitimate tools to infiltrate networks. Organizations are urged to enhance their security measures to combat these evolving threats.

Threat Actor: Andariel Group | Andariel Group Victim: Various Organizations | Various Organizations

Key Point :

Play ransomware encrypts files and follows a double extortion model, stealing data before encryption.…
Read More
AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics
Summary: Cybersecurity researchers have identified a new AI-assisted ransomware group called FunkSec, which has targeted over 85 victims since its emergence in late 2024. The group employs double extortion tactics and operates under a ransomware-as-a-service model, with connections to hacktivist activities.

Threat Actor: FunkSec | FunkSec Victim: Various organizations | various organizations

Key Point :

FunkSec uses double extortion tactics, combining data theft with encryption to pressure victims.…
Read More
US Treasury hack linked to Silk Typhoon Chinese state hackers
Summary: Chinese state-backed hackers, known as Silk Typhoon, have been linked to a significant cybersecurity breach involving the U.S. Office of Foreign Assets Control (OFAC). The attackers compromised a BeyondTrust instance, potentially aiming to gather intelligence on U.S. sanctions against Chinese entities.

Threat Actor: Silk Typhoon | Silk Typhoon Victim: U.S.…

Read More
The Feed 2025-01-09
This article explores various cyber threats, including voice phishing by the “Crypto Chameleon” group, exploitation of vulnerabilities in Kerio Control and Ivanti Connect Secure VPN, and North Korean hackers targeting cryptocurrency wallets through fake job interviews. The rise of ransomware among state-sponsored APT groups is also highlighted, indicating a troubling trend in modern cyber threats.…
Read More
Multiple vulnerabilities in Ivanti products could lead to remote code execution. The most critical vulnerability affects Ivanti Connect Secure, with active exploitation reported. Affected: Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways

Keypoints :

Multiple vulnerabilities discovered in Ivanti products. Most severe vulnerability allows for remote code execution.…
Read More
Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure
Summary: Ivanti has reported a critical security vulnerability (CVE-2025-0282) affecting its products, which is currently being actively exploited, allowing unauthenticated remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate patching.

Threat Actor: UNC5337 | UNC5337 Victim: Ivanti | Ivanti

Key Point :

CVE-2025-0282 is a stack-based buffer overflow with a CVSS score of 9.0, affecting multiple Ivanti products.…
Read More
This article explores the evolving landscape of offensive security in 2025, highlighting the integration of AI, advanced persistent threat simulations, cloud security challenges, and the importance of reconnaissance. It emphasizes the need for continuous learning and adaptation among security professionals. Affected: AI tools, penetration testing frameworks, cloud security environments, bug bounty platforms.…
Read More
Summary: Advanced threat actors are exploiting a newly disclosed zero-day vulnerability in Ivanti Connect Secure (ICS) VPN appliances, allowing for unauthenticated remote code execution. The vulnerabilities, CVE-2025-0282 and CVE-2025-0283, pose significant risks to network security, with active exploitation reported since mid-December 2024.

Threat Actor: UNC5337 | UNC5337 Victim: Ivanti Connect Secure Users | Ivanti Connect Secure Users

Key Point :

Exploitation of CVE-2025-0282 allows unauthenticated remote code execution, compromising entire networks.…
Read More