{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vulnerability-exploitation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["state-sponsored","apt","persistence","vulnerability-exploitation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIn 2025, state-sponsored threat actors from China, Russia, North Korea, and Iran exhibited distinct motivations, ranging from espionage and disruption to financial gain and geopolitical influence. Despite these varying objectives, these actors employed similar tactics, techniques, and procedures (TTPs), particularly regarding initial access and persistence. A common thread was the exploitation of both newly disclosed (e.g., ToolShell by China) and long-standing vulnerabilities in networking devices and widely used software. Identity-based attacks, including social engineering and the use of stolen credentials, were also prominent. North Korea notably stole $1.5 billion in cryptocurrency and generated billions through fraudulent IT work using AI-generated profiles. Iranian actors combined disruptive hacktivism with advanced persistent threat (APT) activity, such as the ShroudedSnooper group targeting telecommunications for long-term access. The focus across these actors was on establishing a persistent presence within compromised networks, often remaining undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation (Initial Access):\u003c/strong\u003e Actors exploit vulnerabilities in networking devices and widely used software, leveraging both newly disclosed and unpatched flaws.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSocial Engineering (Initial Access):\u003c/strong\u003e North Korean actors use fake recruiter personas via campaigns like Contagious Interview to trick targets into executing code or handing over credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting (Privilege Escalation/Persistence):\u003c/strong\u003e After initial access, actors harvest credentials to gain further access within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Shell Deployment (Persistence):\u003c/strong\u003e Chinese actors deploy web shells for persistent access to compromised systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCustom Backdoor Installation (Persistence):\u003c/strong\u003e Backdoors, including compact custom backdoors like those used by ShroudedSnooper, are deployed to maintain long-term access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTunneling (Command \u0026amp; Control):\u003c/strong\u003e Actors use tunneling tools to maintain covert communication channels with compromised systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Exfiltration):\u003c/strong\u003e Actors exfiltrate sensitive data, including espionage-related information or financial data such as cryptocurrency.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisruption/Espionage (Impact):\u003c/strong\u003e Depending on the actor and objective, the final stage involves disruptive activities like DDoS attacks or long-term espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed state-sponsored activity resulted in significant financial losses, espionage, and disruptive attacks. North Korean actors stole $1.5 billion in cryptocurrency and generated billions in revenue through fraudulent IT work, impacting financial institutions and various Fortune 500 companies. Iranian hacktivist operations caused disruption through DDoS attacks and defacements. Espionage campaigns targeted sectors such as telecommunications, potentially compromising sensitive communications and intellectual property. The persistent nature of these attacks allows for long-term monitoring and potential future exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching of both newly disclosed and long-standing vulnerabilities in networking devices and software to mitigate initial access (Reference: Overview, Attack Chain Step 1).\u003c/li\u003e\n\u003cli\u003eImplement robust identity and access management controls, including multi-factor authentication and monitoring for suspicious login activity, to counter social engineering and credential-based attacks (Reference: Attack Chain Step 2 \u0026amp; 3).\u003c/li\u003e\n\u003cli\u003eIncrease visibility into network and edge infrastructure by enabling comprehensive logging and monitoring to detect unauthorized access and persistence mechanisms (Reference: Attack Chain Steps 4, 5, \u0026amp; 6).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect suspicious web shell activity and backdoor installations (Reference: Rules).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns and connections indicative of tunneling or data exfiltration (Reference: Attack Chain Steps 6 \u0026amp; 7).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T13:51:01Z","date_published":"2026-04-14T13:51:01Z","id":"/briefs/2026-04-state-sponsored-access/","summary":"In 2025, state-sponsored actors from China, Russia, North Korea, and Iran leveraged vulnerabilities and identity compromise for initial access, focusing on persistence for long-term espionage or disruption.","title":"State-Sponsored Actors Leveraging Vulnerabilities and Identity for Persistent Access (2025)","url":"https://feed.craftedsignal.io/briefs/2026-04-state-sponsored-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["network-intrusion","vulnerability-exploitation","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn 2026-03-14, network intrusion detection systems (IDS) identified multiple suspicious activities originating from various IP addresses. These activities included attempts to access PHP information pages, exploit the Fortigate VPN vulnerability CVE-2023-27997, request hidden environment files, probe for SFTP/FTP password exposure, request Visual Studio Code sftp configuration files, and use a suspicious user agent string. While the specific actor remains unknown, the breadth of probes suggests a broad scanning approach, potentially preceding more targeted attacks. The activity is concerning due to the potential for information disclosure, unauthorized access, and credential compromise. Defenders should investigate the affected systems for signs of further compromise and implement appropriate mitigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Probing (Discovery):\u003c/strong\u003e The attacker scans the network, sending HTTP GET requests to common web server locations to identify potentially vulnerable systems. For example, the attacker probes for phpinfo pages.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTargeted Vulnerability Scan:\u003c/strong\u003e After identifying potential targets, the attacker attempts to exploit specific vulnerabilities, such as CVE-2023-27997 on Fortigate VPN servers, by sending repeated GET requests to \u003ccode\u003e/remote/logincheck\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSensitive File Discovery:\u003c/strong\u003e The attacker probes for sensitive files by sending HTTP GET requests to discover hidden environment files (e.g., \u003ccode\u003e.env\u003c/code\u003e) using various techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSFTP/FTP Credential Exposure:\u003c/strong\u003e The attacker attempts to discover SFTP/FTP password exposure by scanning for \u003ccode\u003esftp-config.json\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Leakage Attempts:\u003c/strong\u003e The attacker sends HTTP GET requests specifically targeting the \u003ccode\u003esftp.json\u003c/code\u003e file used by Visual Studio Code, potentially revealing sensitive configuration information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Agent Obfuscation:\u003c/strong\u003e The attacker uses a suspicious User-Agent string \u003ccode\u003e_TEST_\u003c/code\u003e to potentially mask their activity or test for detection capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePossible Further Exploitation:\u003c/strong\u003e If any of the above steps are successful, the attacker might attempt to gain unauthorized access, escalate privileges, or exfiltrate sensitive data, depending on the specific vulnerability or information obtained.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed activity poses a significant risk. Successful exploitation of CVE-2023-27997 could allow unauthorized VPN access. Exposure of environment files could reveal sensitive credentials and configuration details, potentially leading to account takeovers and data breaches. Discovery of SFTP/FTP credentials stored in \u003ccode\u003esftp-config.json\u003c/code\u003e would enable unauthorized file access and modification. The overall impact could range from data leakage to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the success of their initial probing attempts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Fortigate CVE-2023-27997 Exploitation Attempts\u003c/code\u003e to identify and alert on exploitation attempts targeting this specific vulnerability (Sigma rule).\u003c/li\u003e\n\u003cli\u003eBlock the IP addresses listed in the IOC table at the network perimeter to prevent further reconnaissance and exploitation attempts (IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Requests to Hidden Environment Files\u003c/code\u003e to identify attempts to access sensitive configuration files (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious User-Agent strings, particularly those containing \u0026ldquo;\u003cem\u003eTEST\u003c/em\u003e\u0026rdquo; to detect potentially malicious activity (IOC table).\u003c/li\u003e\n\u003cli\u003eInvestigate any systems that have received requests for \u003ccode\u003ephpinfo\u003c/code\u003e pages, \u003ccode\u003esftp-config.json\u003c/code\u003e, or hidden environment files for signs of compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-14T23:06:48Z","date_published":"2026-03-14T23:06:48Z","id":"/briefs/2026-03-network-intrusion-attempts/","summary":"Multiple network-based intrusion attempts were detected on 2026-03-14, targeting PHP information exposure, Fortigate VPN exploitation, sensitive file access, and credential exposure.","title":"Multiple Network Intrusion Attempts Detected","url":"https://feed.craftedsignal.io/briefs/2026-03-network-intrusion-attempts/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["network-scanning","vulnerability-exploitation","fortigate","coldfusion","cve-2023-27997"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 13, 2026, KRVTZ-NET IDS systems generated a series of alerts indicative of network scanning and attempted exploitation. The alerts highlight suspicious activity originating from a range of IP addresses, suggesting a widespread campaign rather than a targeted attack from a single actor. Specific alerts include repeated GET requests to \u003ccode\u003e/remote/logincheck\u003c/code\u003e, potentially targeting the Fortigate VPN vulnerability CVE-2023-27997, as well as requests for hidden environment files and attempts…\u003c/p\u003e\n","date_modified":"2026-03-13T20:52:20Z","date_published":"2026-03-13T20:52:20Z","id":"/briefs/2026-03-krvtz-net-ids-alerts/","summary":"Multiple IDS alerts indicate potential network reconnaissance, vulnerability exploitation attempts targeting Fortigate VPN (CVE-2023-27997), and ColdFusion servers originating from various IP addresses on March 13, 2026.","title":"KRVTZ-NET IDS Alerts Analysis: Network Scanning and Exploitation Attempts","url":"https://feed.craftedsignal.io/briefs/2026-03-krvtz-net-ids-alerts/"}],"language":"en","title":"CraftedSignal Threat Feed — Vulnerability-Exploitation","version":"https://jsonfeed.org/version/1.1"}