Volexity

Our latest blog post details Volexity's identification & incident response associated with the Palo Alto Networks GlobalProtect vuln, assigned CVE-2024-3400, that the team found being exploited in the wild.

Read more here: https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-ex*****on-vulnerability-in-globalprotect-cve-2024-3400

[ ] This latest blog post from Volexity's Threat Intelligence team shares observations of attacks by Iranian-origin CharmingCypress (aka APT42, CharmingKitten, TA453): https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence

CharmingCypress is an innovator when it comes to persistently pursuing targets via dynamic techniques. This post also describes the variety of used by the group, and how Volexity analysts were able to quickly triage a memory sample from an infected device using Volexity Volcano.

[ ] In this blog post, Volexity breaks down how played a key role in its discovery of two being chained together to achieve unauthenticated remote code ex*****on in Ivanti Connect Secure VPN devices. More details here: https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-exploitation-of-ivanti-connect-secure-vpn-zero-day-vulnerabilities

[ ] In this latest blog post, Volexity shares new observations on continued widespread exploitation of Ivanti Connect Secure VPN vulnerabilities (CVE-2024-21887 and CVE-2023-46805). There are now more than 2,100 compromised devices & UTA0178 has been observed modifying the built-in Integrity Checker Tool to evade detection. More details here: https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations

[ ] Volexity provides an update on its Ivanti Connect Secure VPN report concerning chained exploitation of CVE-2024-21887/CVE-2023-46805. Based on new data, 1700+ devices have been compromised following widespread exploitation. More details here: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

[ ] Volexity recently detected an incident where it discovered a threat actor chained two vulnerabilities in Ivanti Connect Secure, CVE-2023-46805 & CVE-2024-21887, to achieve RCE, modifying components of the software to backdoor the device. Read more here: https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn

Volexity's team works with some of the most targeted groups in the world. Today, at the LABScon conference, we are sharing details of a long-running campaign by EvilBamboo. We have also just published details on our blog: https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/.

Our analysis has uncovered evidence of the attacker building online communities on various social media & messaging platforms, creating fake personas on social media sites, and using other techniques in order to distribute malware, including . Additionally, there is strong evidence of device targeting and likely exploitation using IRONSQUIRREL.

[ ] The Volexity Threat Intelligence team has analyzed the rarely observed malware family POWERSTAR (aka "CharmPower") used by the threat actor. Volexity frequently observes attempted spear phishing from Charming Kitten against its own customers on a consistent basis, which typically focus on credential theft rather than malware deployment. This latest blog post details PowerShell-based POWERSTAR, its tricks to avoid analysis after the fact, and its use of Web3.0's IPFS: https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/

[ ] The Volexity team takes a look at the supply chain compromise: the malware delivered, the infrastructure used & the initial set up of the attack. Here's what we know so far: https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/

[ ] Have you ever looked at a forensic image and wondered if the solution has been tampered with? In this latest blog post, Volexity walks through a real-world example of how the malware family, first documented by Trend Micro, tampers with EDR solutions, and how can generically identify when malware families tamper with callback tables using the same method. Read more here: https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/

Volexity details novel tradecraft employed by to deploy malware using Microsoft Office documents, cryptocurrency applications, and chained DLL side-loading. More details here: https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/