{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/exploitation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2025-55182"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["business-email-compromise","bec","ai","social-engineering","credential-harvesting","exploitation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBusiness Email Compromise (BEC) attacks have historically targeted large organizations with significant payouts justifying the required time investment. However, recent trends indicate a democratization of BEC, with smaller organizations becoming increasingly targeted. This shift is largely driven by the adoption of AI, enabling attackers to rapidly reconnoiter and tailor content for smaller organizations at scale. Attackers are now targeting smaller community associations, charities, and businesses, recognizing that scamming smaller sums from many victims can be as profitable as scamming large sums from a few. These organizations are often less aware of the threat and thus more vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e Attackers use AI-powered tools to gather information about target organizations and key personnel (e.g., community associations, small businesses).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpersonation:\u003c/strong\u003e Attackers craft emails impersonating trusted individuals within the organization (e.g., the chair of the association).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest Initiation:\u003c/strong\u003e The attacker sends an email requesting a fund transfer to an account they control, relying on social engineering to trick someone with payment authority.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvasion:\u003c/strong\u003e The initial email is often sent from a plausible email address or a compromised genuine account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise\u003c/strong\u003e: Exploit React2Shell vulnerability (CVE-2025-55182) in Next.js applications to gain access to sensitive data, including cloud tokens, database credentials, and SSH keys, which are used for lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: Sensitive data, including cloud tokens, database credentials, and SSH keys, is exfiltrated using custom framework called \u0026ldquo;NEXUS Listener\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation:\u003c/strong\u003e Once received, funds typically pass through money mules or compromised personal accounts before being rapidly shuffled through multiple transfers, obscuring the trail.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinancial Gain:\u003c/strong\u003e The attacker successfully initiates the fund transfer and receives the money.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe democratization of BEC attacks expands the threat landscape to include vulnerable small organizations. While the individual sums may be smaller, the cumulative impact of successful attacks can be significant. If successful, organizations suffer financial losses, potential data breaches through stolen credentials (related to CVE-2025-55182), and reputational damage. The European Commission investigated a breach after an Amazon cloud account hack, highlighting the potential for data leaks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate employees, especially those with payment authority, about the signs of BEC scams, emphasizing unexpected requests for payment and the importance of verifying requests through separate channels (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eImplement and enforce strict procurement rules that prevent any last-minute urgent payments (reference: Overview section).\u003c/li\u003e\n\u003cli\u003ePatch Next.js applications against React2Shell vulnerability (CVE-2025-55182) immediately and rotate potentially compromised credentials including API keys and SSH keys (reference: \u0026ldquo;The one big thing\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious process creation activity (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of the malware files identified in the report using the provided SHA256 hashes (reference: IOCs section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-democratized-bec/","summary":"Attackers are leveraging AI to rapidly reconnoiter and tailor content for smaller organizations, making it easier to execute business email compromise (BEC) scams and scam smaller sums from many victims, as demonstrated by a recent attack targeting a small community organization.","title":"Democratization of Business Email Compromise (BEC) Attacks","url":"https://feed.craftedsignal.io/briefs/2026-04-democratized-bec/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2021-45046"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jndi","java","log4shell","rce","exploitation"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies potential exploitation attempts targeting Java Naming and Directory Interface (JNDI) vulnerabilities. These vulnerabilities, exemplified by CVE-2021-45046, allow attackers to perform remote code execution by injecting malicious payloads through directory services like LDAP. The rule focuses on detecting suspicious outbound network connections from Java processes to standard ports associated with LDAP (389, 1389), RMI (1099), and DNS (53, 5353), followed by the execution of suspicious child processes indicative of command execution such as shell interpreters (sh, bash, zsh) or scripting languages (python, perl). The rule aims to identify exploitation attempts similar to those seen with Log4Shell and related vulnerabilities, which have been actively exploited since late 2021. It covers Linux and macOS environments and provides a mechanism to detect ongoing exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA vulnerable Java application receives malicious input containing a JNDI lookup string.\u003c/li\u003e\n\u003cli\u003eThe Java application attempts to resolve the JNDI name, initiating an outbound network connection to an LDAP, RMI, or DNS server on ports 389, 1389, 1099, 53, or 5353.\u003c/li\u003e\n\u003cli\u003eThe malicious LDAP/RMI/DNS server, controlled by the attacker, responds with a payload referencing a malicious Java class or remote code.\u003c/li\u003e\n\u003cli\u003eThe Java application loads and executes the malicious code.\u003c/li\u003e\n\u003cli\u003eAs a result of the executed code, a shell interpreter (sh, bash, zsh, etc.) or scripting language (python, perl, ruby, php, wget) is spawned as a child process of the Java application.\u003c/li\u003e\n\u003cli\u003eThe spawned shell/script executes attacker-controlled commands for reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions such as data exfiltration or deploying malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of JNDI vulnerabilities can lead to remote code execution, allowing attackers to gain complete control over affected systems. This can result in data breaches, system compromise, and further propagation of attacks within the network. The impact can range from service disruption to complete system takeover. Public exploits for vulnerabilities such as Log4Shell have been widely available, leading to widespread scanning and exploitation attempts across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential JAVA/JNDI Exploitation Attempt\u0026rdquo; to your SIEM to detect suspicious Java processes initiating network connections to LDAP, RMI, or DNS ports followed by suspicious child processes.\u003c/li\u003e\n\u003cli\u003eEnable process creation and network connection logging on Linux and macOS endpoints to provide the necessary data for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate Java applications that may trigger false positives due to legitimate network connections (see the \u0026ldquo;False positive analysis\u0026rdquo; section in the original rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of successful exploitation by restricting lateral movement.\u003c/li\u003e\n\u003cli\u003ePatch vulnerable Java applications and libraries, such as Log4j, to prevent exploitation of known vulnerabilities like CVE-2021-45046.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:24:53Z","date_published":"2026-04-01T14:24:53Z","id":"/briefs/2026-06-java-jndi-exploitation/","summary":"This rule detects a potential JAVA/JNDI exploitation attempt by identifying outbound network connections by JAVA to LDAP, RMI, or DNS standard ports followed by suspicious JAVA child processes such as shell interpreters and scripting languages, which may indicate a Java Naming and Directory Interface (JNDI) injection vulnerability exploitation attempt.","title":"Potential JAVA/JNDI Exploitation Attempt","url":"https://feed.craftedsignal.io/briefs/2026-06-java-jndi-exploitation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco-sdwan","vulnerability","exploitation","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCISA and its partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems across various organizations globally. The attackers are leveraging CVE-2026-20127, an authentication bypass vulnerability, for initial access. Following successful exploitation of CVE-2026-20127, the attackers escalate privileges and establish long-term persistence within the compromised SD-WAN systems using CVE-2022-20775. In response to this active exploitation, CISA issued Emergency…\u003c/p\u003e\n","date_modified":"2026-02-25T12:00:00Z","date_published":"2026-02-25T12:00:00Z","id":"/briefs/2026-02-cisco-sdwan-vulns/","summary":"Malicious actors are actively exploiting CVE-2026-20127 for initial access and CVE-2022-20775 for privilege escalation and persistence on Cisco SD-WAN systems globally.","title":"Ongoing Exploitation of Cisco SD-WAN Systems","url":"https://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Exploitation","version":"https://jsonfeed.org/version/1.1"}