"- 2022 - 42475 is a heap overflow vulnerability leads to rce in fortios fortiproxy ’ s ssl - vpn. fortinet drew attention to exploitation in the wild on april 10th, and we ’ ll have some more to say about it later in this article. notably, may saw a significant drop in activity f…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
97%
"delving into the sparkrat remote access tool the sensor intel series is created in partnership with efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry. additional insights and contributions provided by the f5 threat campaigns tea…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
95%
"systems for extortion ”. 3 sparkrat c2 scanning in april, we detected hundreds of identical scanning attempts across the internet on both port 80 and 443. f5 labs deduced that this was scanning for a particular version of a particular remote access trojan ’ s command & control se…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
90%
"cve - 2019 - 9082, a thinkphp php injection vulnerability, continues to see exploitation. this flaw allows remote code execution and should be addressed by updating to the latest thinkphp version. as we ’ ve recommended before, if you ' re using php you can check for the vulnerab…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
86%
"2855151 ] - “ et malware win32 / sparkrat cnc checkin ( get ) ” [ sid : 2046669 ]. 10 the latter rule was credited to sangfor11 on 2024 - 06 - 2312, who stated13 that sparkrat was being leveraged by patchwork apt - thought to be associated with operation monsoon14. notably, spark…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587.004Exploits
66%
"2025 in april, cve - 2017 - 9841 led the activity with nearly 60, 000 exploitation attempts ( as shown in table 1 ). the remaining cves saw an order of magnitude less activity and are almost exclusively rces with cvss in the range 7 to 10. notably, the avertx cve - 2020 - 11625 i…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
60%
"sparkrat client embeds an its configuration within its executable as obfuscated / encrypted json ( 384 bytes of 0x1922 dynamically replaced by the server when generating client binaries23 ). - sparkrat supports all the common rat operations such as screenshotting, starting and ki…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
58%
"##475 show increased activity compared to previous months. figure 2 : twelve - month bump plot of the top 5 cves. cve - 2017 - 9841 continues to dominate. the key long - term trend in may has been the decline of activity around tp - link ’ s cve - 2023 - 1389 ( see the highlight …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
48%
"sparkrat client embeds an its configuration within its executable as obfuscated / encrypted json ( 384 bytes of 0x1922 dynamically replaced by the server when generating client binaries23 ). - sparkrat supports all the common rat operations such as screenshotting, starting and ki…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
44%
"digging deeper into the c2 scanning investigating, we discovered a few leads : - the sha hash corresponded to a github code commit4of the xzb - 1248 / spark5 repo tagged on 2023 - 02 - 01 as v0. 2. 16. - the request path cropped up in an automated analysis of linux malware7that f…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071Application Layer Protocol
38%
"digging deeper into the c2 scanning investigating, we discovered a few leads : - the sha hash corresponded to a github code commit4of the xzb - 1248 / spark5 repo tagged on 2023 - 02 - 01 as v0. 2. 16. - the request path cropped up in an automated analysis of linux malware7that f…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
32%
"2025 in april, cve - 2017 - 9841 led the activity with nearly 60, 000 exploitation attempts ( as shown in table 1 ). the remaining cves saw an order of magnitude less activity and are almost exclusively rces with cvss in the range 7 to 10. notably, the avertx cve - 2020 - 11625 i…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
31%
"memory corruption exploits, or a very robust poc available in the wild. we suspect the latter to be the most significant factor. our data does show very low levels of scanning beginning in april for urls containing auth / url _ admin / welcome. cgi. this url is known to fingerpri…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.