Vulnerabilities
Fast publish: If the past gives us any indication for the future, if you are running MoveIT you want to be aware of:
Read more “I like to MoveIT MoveIT”
Threat Intel
Mass iternet exploitation events are never fun, this week we have CVE-2026-41940 being exploited! Luckily we have the awesome and cool honeypots at Defused to help us investigate threat actor activity! So let’s take a look! (there’s a good writeup here from Watchtowr.
We have used ‘AI’ (Claude) to create a timeline based on packets from Defused honeypots:
I exported the logs from the Defused honeypot TI feed focused on a single IP then imported that include a chat with Claude:
Here’s the breakdown of what the data shows:
Attack summary — CVE-2026-41940 against a cPanel honeypot
The attacker at 80.87.206.131 ran a structured, two-wave exploitation chain over approximately 22 minutes. The CVE pattern maps to a known cPanel authentication bypass class: forge a session via the preauth endpoint, propagate it through a cache gadget, then leverage the resulting authenticated context to make privileged JSON-API calls.
Wave 1 (06:36–06:37) was a minimal two-step probe — session mint followed immediately by a single cache propagation attempt. This is consistent with tooling running an initial reachability check before committing to full exploitation.
Wave 2 (06:57–06:58) is the main effort. The attacker repeated the session mint, fired the cache gadget twice (likely confirming propagation), and within 9 seconds of the second gadget request had transitioned to authenticated API calls — specifically authorizesshkey (SSH key injection) and listaccts (account enumeration). The two events timestamped 06:58:28suggest either a scripted burst or the tooling executing the auth’d phase in parallel.
Key indicators for hunting:
POST /login/?login_only=1 as the session mint vectorGET /scripts2/listaccts as the cache gadget trigger/json-api/ endpoints within seconds of gadget confirmationWorth checking whether 80.87.206.131 appears in any other decoy logs — the structured cadence strongly suggests an automated exploit kit rather than manual operation.
We can see here, the exploit here is very simple, POST then a GET followed by API access!
Not only do we now have data to write detections from, we can also look at creating a PoC for penetration testing and vulnerability assessment purposes! A double win! This really goes to show how valuable honeypots can be from a broad TI perspective as well as supporting defence and offence!
A double edged sword (or pot?), like so many things in life!
Each scenario is different so I’ll not try and tell everyone exactly what they should do here, the key point of this blog is to highlight the vulnerability, the threat/risk so people can take the appropriate steps.
Also, you probably want to check out the honeypots at Defused! They are awesome!
[update] just found this in the packets: H2ckt3ch@g0dl1k3 (cm9vdDpIMmNrdDNjaEBnMGRsMWsz is the BASE64). I won’t publish all the packets right now (because that probably won’t help this early on) but this string was interesting…
News
Firewalls are often both a defended gate but also the front door to access corporate network. That is all lovely until it’s not! You see so many corporate network intrusion incidents occur from threat actors simply logging into the VPN (due to lack of VPN), and then we have the software vulnerabilities where they shell their way in, but did you think that another way could be from stealing all the backups from a ‘security’ provider? Well now you might! There’s been bit of an incident (one that started as it’s only 5% of customers but actually it was 100% of customers who used the backup feature! YIKES), but before that let’s look at the typical landscape!
Read more “‘Secure’ Firewall backups, until they are not!”
Vulnerabilities
There appears to be a new RCE out for Fortinet devices as per this post (it’s against FortiNAC as far I am aware so this is probably a much smaller exposure footprint than all fortinet devices):
https://www.fortiguard.com/psirt/FG-IR-22-300
There’s also this in FortiWeb (and well they released 40 odd fixes to various bits)
https://www.fortiguard.com/psirt/FG-IR-21-186
When we consider security edge devices and the risks these may pose to organizations and society as a whole it’s important to understand that these are no trivial matter. These are “security” appliances that are there to protect your organizations, to provide remote access as well as protect network egress etc.
Fortinet are not the only vendor to suffer from these types of vulnerability (Remote Code Execution – RCE) however there do appear to have been quite a few of these when looking historically.
Read more “CVE-2022-39952 Fortinet Global Exposure”
Education
Most organisations have hundreds to thousands of vulnerabilities. They range across the spectrum from:
The challenge comes in trying to determine how to prioritise. Which ways could we go?
Where do we start?
Read more “Vulnerability Prioritisation”
Leadership
Have you ever thought about what kind of data/intelligence you may need with regards to vulnerability management? It tends to vary at levels of abstraction based on the audiance, but don’t think the person doing the patching may not be considernig upwards or that someone in a C level position won’t care about the zeros and ones (life doesn’t work that way!)
Anyway I was talking to a friend and came up with these so thought I’d share them with the world. Have I done a decent job? can you think of others? How do you measure and report? What are your concerns?
Let’s take a look at what I came up with (this wasn’t a very long time in the making 😉 )
Read more “Vulnerability Management Concerns by Role Type”
Threat Intel
We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.
THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged
XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.
This is a fast publish
POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
https://github.com/jbaines-r7/through_the_wire
keep checking vendor guidance and keep checking this for updates… use at own risk etc.
Workaround/Hotfixes have been published by Atlassian:
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
https://jira.atlassian.com/browse/CONFSERVER-79000
GreyNoise Tag is online: GreyNoise Trends
Also check this out for scanners: GreyNoise
Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!
IT MAY BE WISE TO ASSUME BREACH
The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar
Velocity discovers a zero-day in confluence 03/06/2022 (GMT)
Defense
| Rating | Critical |
| CVE | cve-2022-26809 |
| MITRE | CVE – CVE-2022-26809 (mitre.org) |
| CVSS | CVSS:3.1 9.8 |
| Impact | Remote Code Execution (RCE) |
| Exploit in the wild | Currently not observed |
| Difficulty to Exploit (if PoC available) | Very Low |
| Network Position | TCP/IP Routable or Network Adjacent |
| Authentication Required to Exploit | No |
| Affected | Windows Client/Server OS |
| Typical Service Ports | TCP 135,139,445 |
| Vendor Patch Available | Yes |
| Exploitable in Default OOB (out of the box) configuration | Unknown |
| Exploitable Client/Server | Believed to be client and server side exploitable |
Defense
There’s a new CVE in town but don’t think it’s the only problem you get when you expose administrative interfaces to the wild west of the internet (yeeha or something). Let’s go on a quick exploration of what the world looks like with the help of our friends at Shodan and then let’s see the ramblings of Dan when looking at how benign enumeration and exploration of services can work. Let’s get started looking at the world, a quick face analysis on Shodan with vmware as a product shows a hit or two, what we are going to focus on is vCenter but you know.. you might want to review your attack surfaces so any exposed services (damn people expose some risky stuff!) Read more “Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)”
Defense
This isn’t a rant, far from it but I’ve been working on this for over a week now and some major questions are sprining to mind with regard to how the IOCs and detection details released may have hindered response efforts. These vulnerabilities were known about since at least December 2020, there were months to get detection intel and scripts/tools ready for people (that’s if you don’t question why did it take so long). So I’ve put some of my thoughts down here on some of the challenges with the IoCs initially released and the detection tools etc. I’ll probably update this later but wanted to publish it before it becomes virtual dust! Read more “Thoughts on IOCs for Exchange Hafnium/ProxyLogon”