China Archives

Threat Intelligence

BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

November 15, 2024

Callum Roxan, Charlie Gardner, and Paul Rascagneres

[Update: At the time of publication, this vulnerability had not been addressed by Fortinet. On December 18, 2024, Fortinet published a public acknowledgement of the issue, affected versions, as well […]

Threat Intelligence

StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms

August 2, 2024

Ankur Saini, Paul Rascagneres, Steven Adair, and Tom Lancaster

In mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”). In those […]

Threat Intelligence

Ivanti Connect Secure VPN Exploitation: New Observations

January 18, 2024

Matthew Meltzer, Sean Koessel, and Steven Adair

On January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805. In that blog post, Volexity detailed broader scanning and exploitation by threat actors […]

Threat Intelligence

Ivanti Connect Secure VPN Exploitation Goes Global

January 15, 2024

Cem Gurkok, Paul Rascagneres, Sean Koessel, Steven Adair, and Tom Lancaster

Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in […]

Threat Intelligence

Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN

January 10, 2024

Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Tom Lancaster

Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been […]

Threat Intelligence

EvilBamboo Targets Mobile Devices in Multi-year Campaign

September 22, 2023

Callum Roxan, Paul Rascagneres, and Tom Lancaster

Volexity has identified several long-running and currently active campaigns undertaken by the threat actor Volexity tracks as EvilBamboo (formerly named Evil Eye) targeting Tibetan, Uyghur, and Taiwanese individuals and organizations. […]

Threat Intelligence

DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach

June 15, 2022

Steven Adair, Tom Lancaster, and Volexity Threat Research

Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or […]

Threat Intelligence

Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant

April 21, 2020

Andrew Case, Dave Lassalle, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster

In September 2019, Volexity published Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs, which described a series of attacks against Uyghurs from multiple Chinese APT actors. The most notable threat […]

Threat Intelligence

Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence

October 7, 2015

Volexity

In the world of information security, there is never a dull moment. Part of the fun of working in this space is that you always get to see attackers do […]

Threat Intelligence

APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)

July 8, 2015

Volexity

As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn’t bad enough, it all gets just a little bit worse. Emerging from the […]