{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-intrusion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["network-intrusion","vulnerability-exploitation","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn 2026-03-14, network intrusion detection systems (IDS) identified multiple suspicious activities originating from various IP addresses. These activities included attempts to access PHP information pages, exploit the Fortigate VPN vulnerability CVE-2023-27997, request hidden environment files, probe for SFTP/FTP password exposure, request Visual Studio Code sftp configuration files, and use a suspicious user agent string. While the specific actor remains unknown, the breadth of probes suggests a broad scanning approach, potentially preceding more targeted attacks. The activity is concerning due to the potential for information disclosure, unauthorized access, and credential compromise. Defenders should investigate the affected systems for signs of further compromise and implement appropriate mitigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Probing (Discovery):\u003c/strong\u003e The attacker scans the network, sending HTTP GET requests to common web server locations to identify potentially vulnerable systems. For example, the attacker probes for phpinfo pages.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTargeted Vulnerability Scan:\u003c/strong\u003e After identifying potential targets, the attacker attempts to exploit specific vulnerabilities, such as CVE-2023-27997 on Fortigate VPN servers, by sending repeated GET requests to \u003ccode\u003e/remote/logincheck\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSensitive File Discovery:\u003c/strong\u003e The attacker probes for sensitive files by sending HTTP GET requests to discover hidden environment files (e.g., \u003ccode\u003e.env\u003c/code\u003e) using various techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSFTP/FTP Credential Exposure:\u003c/strong\u003e The attacker attempts to discover SFTP/FTP password exposure by scanning for \u003ccode\u003esftp-config.json\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Leakage Attempts:\u003c/strong\u003e The attacker sends HTTP GET requests specifically targeting the \u003ccode\u003esftp.json\u003c/code\u003e file used by Visual Studio Code, potentially revealing sensitive configuration information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Agent Obfuscation:\u003c/strong\u003e The attacker uses a suspicious User-Agent string \u003ccode\u003e_TEST_\u003c/code\u003e to potentially mask their activity or test for detection capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePossible Further Exploitation:\u003c/strong\u003e If any of the above steps are successful, the attacker might attempt to gain unauthorized access, escalate privileges, or exfiltrate sensitive data, depending on the specific vulnerability or information obtained.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed activity poses a significant risk. Successful exploitation of CVE-2023-27997 could allow unauthorized VPN access. Exposure of environment files could reveal sensitive credentials and configuration details, potentially leading to account takeovers and data breaches. Discovery of SFTP/FTP credentials stored in \u003ccode\u003esftp-config.json\u003c/code\u003e would enable unauthorized file access and modification. The overall impact could range from data leakage to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the success of their initial probing attempts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fortigate CVE-2023-27997 Exploitation Attempts\u003c/code\u003e to identify and alert on exploitation attempts targeting this specific vulnerability (Sigma rule).\u003c/li\u003e\n\u003cli\u003eBlock the IP addresses listed in the IOC table at the network perimeter to prevent further reconnaissance and exploitation attempts (IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Requests to Hidden Environment Files\u003c/code\u003e to identify attempts to access sensitive configuration files (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious User-Agent strings, particularly those containing \u0026ldquo;\u003cem\u003eTEST\u003c/em\u003e\u0026rdquo; to detect potentially malicious activity (IOC table).\u003c/li\u003e\n\u003cli\u003eInvestigate any systems that have received requests for \u003ccode\u003ephpinfo\u003c/code\u003e pages, \u003ccode\u003esftp-config.json\u003c/code\u003e, or hidden environment files for signs of compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-14T23:06:48Z","date_published":"2026-03-14T23:06:48Z","id":"/briefs/2026-03-network-intrusion-attempts/","summary":"Multiple network-based intrusion attempts were detected on 2026-03-14, targeting PHP information exposure, Fortigate VPN exploitation, sensitive file access, and credential exposure.","title":"Multiple Network Intrusion Attempts Detected","url":"https://feed.craftedsignal.io/briefs/2026-03-network-intrusion-attempts/"}],"language":"en","title":"CraftedSignal Threat Feed — Network-Intrusion","version":"https://jsonfeed.org/version/1.1"}