https://feed.craftedsignal.io/tags/vulnerability-exploitation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 14 Apr 2026 13:51:01 +0000https://feed.craftedsignal.io/briefs/2026-04-state-sponsored-access/Tue, 14 Apr 2026 13:51:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-state-sponsored-access/In 2025, state-sponsored actors from China, Russia, North Korea, and Iran leveraged vulnerabilities and identity compromise for initial access, focusing on persistence for long-term espionage or disruption.In 2025, state-sponsored threat actors from China, Russia, North Korea, and Iran exhibited distinct motivations, ranging from espionage and disruption to financial gain and geopolitical influence. Despite these varying objectives, these actors employed similar tactics, techniques, and procedures (TTPs), particularly regarding initial access and persistence. A common thread was the exploitation of both newly disclosed (e.g., ToolShell by China) and long-standing vulnerabilities in networking devices and widely used software. Identity-based attacks, including social engineering and the use of stolen credentials, were also prominent. North Korea notably stole $1.5 billion in cryptocurrency and generated billions through fraudulent IT work using AI-generated profiles. Iranian actors combined disruptive hacktivism with advanced persistent threat (APT) activity, such as the ShroudedSnooper group targeting telecommunications for long-term access. The focus across these actors was on establishing a persistent presence within compromised networks, often remaining undetected for extended periods.

Attack Chain

1. Vulnerability Exploitation (Initial Access): Actors exploit vulnerabilities in networking devices and widely used software, leveraging both newly disclosed and unpatched flaws.
2. Social Engineering (Initial Access): North Korean actors use fake recruiter personas via campaigns like Contagious Interview to trick targets into executing code or handing over credentials.
3. Credential Harvesting (Privilege Escalation/Persistence): After initial access, actors harvest credentials to gain further access within the network.
4. Web Shell Deployment (Persistence): Chinese actors deploy web shells for persistent access to compromised systems.
5. Custom Backdoor Installation (Persistence): Backdoors, including compact custom backdoors like those used by ShroudedSnooper, are deployed to maintain long-term access.
6. Tunneling (Command & Control): Actors use tunneling tools to maintain covert communication channels with compromised systems.
7. Data Exfiltration (Exfiltration): Actors exfiltrate sensitive data, including espionage-related information or financial data such as cryptocurrency.
8. Disruption/Espionage (Impact): Depending on the actor and objective, the final stage involves disruptive activities like DDoS attacks or long-term espionage.

Impact

The observed state-sponsored activity resulted in significant financial losses, espionage, and disruptive attacks. North Korean actors stole $1.5 billion in cryptocurrency and generated billions in revenue through fraudulent IT work, impacting financial institutions and various Fortune 500 companies. Iranian hacktivist operations caused disruption through DDoS attacks and defacements. Espionage campaigns targeted sectors such as telecommunications, potentially compromising sensitive communications and intellectual property. The persistent nature of these attacks allows for long-term monitoring and potential future exploitation.

Recommendation

• Prioritize patching of both newly disclosed and long-standing vulnerabilities in networking devices and software to mitigate initial access (Reference: Overview, Attack Chain Step 1).
• Implement robust identity and access management controls, including multi-factor authentication and monitoring for suspicious login activity, to counter social engineering and credential-based attacks (Reference: Attack Chain Step 2 & 3).
• Increase visibility into network and edge infrastructure by enabling comprehensive logging and monitoring to detect unauthorized access and persistence mechanisms (Reference: Attack Chain Steps 4, 5, & 6).
• Deploy the Sigma rules below to detect suspicious web shell activity and backdoor installations (Reference: Rules).
• Monitor network traffic for unusual patterns and connections indicative of tunneling or data exfiltration (Reference: Attack Chain Steps 6 & 7).

]]>highadvisorystate-sponsoredaptpersistencevulnerability-exploitationhttps://feed.craftedsignal.io/briefs/2026-03-network-intrusion-attempts/Sat, 14 Mar 2026 23:06:48 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-network-intrusion-attempts/Multiple network-based intrusion attempts were detected on 2026-03-14, targeting PHP information exposure, Fortigate VPN exploitation, sensitive file access, and credential exposure.On 2026-03-14, network intrusion detection systems (IDS) identified multiple suspicious activities originating from various IP addresses. These activities included attempts to access PHP information pages, exploit the Fortigate VPN vulnerability CVE-2023-27997, request hidden environment files, probe for SFTP/FTP password exposure, request Visual Studio Code sftp configuration files, and use a suspicious user agent string. While the specific actor remains unknown, the breadth of probes suggests a broad scanning approach, potentially preceding more targeted attacks. The activity is concerning due to the potential for information disclosure, unauthorized access, and credential compromise. Defenders should investigate the affected systems for signs of further compromise and implement appropriate mitigations.

Attack Chain

1. Initial Probing (Discovery): The attacker scans the network, sending HTTP GET requests to common web server locations to identify potentially vulnerable systems. For example, the attacker probes for phpinfo pages.
2. Targeted Vulnerability Scan: After identifying potential targets, the attacker attempts to exploit specific vulnerabilities, such as CVE-2023-27997 on Fortigate VPN servers, by sending repeated GET requests to /remote/logincheck.
3. Sensitive File Discovery: The attacker probes for sensitive files by sending HTTP GET requests to discover hidden environment files (e.g., .env) using various techniques.
4. SFTP/FTP Credential Exposure: The attacker attempts to discover SFTP/FTP password exposure by scanning for sftp-config.json files.
5. Information Leakage Attempts: The attacker sends HTTP GET requests specifically targeting the sftp.json file used by Visual Studio Code, potentially revealing sensitive configuration information.
6. User Agent Obfuscation: The attacker uses a suspicious User-Agent string _TEST_ to potentially mask their activity or test for detection capabilities.
7. Possible Further Exploitation: If any of the above steps are successful, the attacker might attempt to gain unauthorized access, escalate privileges, or exfiltrate sensitive data, depending on the specific vulnerability or information obtained.

Impact

The observed activity poses a significant risk. Successful exploitation of CVE-2023-27997 could allow unauthorized VPN access. Exposure of environment files could reveal sensitive credentials and configuration details, potentially leading to account takeovers and data breaches. Discovery of SFTP/FTP credentials stored in sftp-config.json would enable unauthorized file access and modification. The overall impact could range from data leakage to complete system compromise, depending on the attacker’s objectives and the success of their initial probing attempts.

Recommendation

• Deploy the Sigma rule Detect Fortigate CVE-2023-27997 Exploitation Attempts to identify and alert on exploitation attempts targeting this specific vulnerability (Sigma rule).
• Block the IP addresses listed in the IOC table at the network perimeter to prevent further reconnaissance and exploitation attempts (IOC table).
• Deploy the Sigma rule Detect Requests to Hidden Environment Files to identify attempts to access sensitive configuration files (Sigma rule).
• Monitor network traffic for suspicious User-Agent strings, particularly those containing “TEST” to detect potentially malicious activity (IOC table).
• Investigate any systems that have received requests for phpinfo pages, sftp-config.json, or hidden environment files for signs of compromise.

]]>highadvisorynetwork-intrusionvulnerability-exploitationinformation-disclosurehttps://feed.craftedsignal.io/briefs/2026-03-krvtz-net-ids-alerts/Fri, 13 Mar 2026 20:52:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-krvtz-net-ids-alerts/Multiple IDS alerts indicate potential network reconnaissance, vulnerability exploitation attempts targeting Fortigate VPN (CVE-2023-27997), and ColdFusion servers originating from various IP addresses on March 13, 2026.<p>On March 13, 2026, KRVTZ-NET IDS systems generated a series of alerts indicative of network scanning and attempted exploitation. The alerts highlight suspicious activity originating from a range of IP addresses, suggesting a widespread campaign rather than a targeted attack from a single actor. Specific alerts include repeated GET requests to <code>/remote/logincheck</code>, potentially targeting the Fortigate VPN vulnerability CVE-2023-27997, as well as requests for hidden environment files and attempts…</p> mediumadvisorynetwork-scanningvulnerability-exploitationfortigatecoldfusioncve-2023-27997