Roses are red, violets are blue... install my VPN, so I can pwn you. volexity.com/blog/2024/02/1…

In September 2022, attendees at the inaugural LABScon heard about an actor I described then as "one of the most prolific, most deeply connected, and most technically advanced actors around". Events this week were a reminder that the video never went out, so here it is 👇

Natto shed some more light on the relationship between Chengdu 404 and iSoon. Prescient stuff

Following Volexity's initial discovery & reporting on recent Ivanti Connect Secure vulnerabilities, Cybersecurity and Infrastructure Security Agency released a joint advisory that warns #threatactors continue to exploit these vulnerabilities. More details + mitigations here: cisa.gov/news-events/cy… #dfir #threatintel

Great report on iSoon. One particularly striking line: "Local threat actors don’t appear to have any issues gathering intelligence; in fact, they’re so efficient at it that they cannot handle the volume." -> TAs likely care more about data processing than payload design nowadays

security.paloaltonetworks.com/CVE-2024-3400 We have observed targeted exploitation of a 0-day in Palo Alto Global Protect firewall devices. Expect a writeup in the near future.

Our team at Volexity has identified a new 0day exploited in the wild. This time we caught a threat actor using an unauthenticated RCE in Palo Alto Networks GlobalProtect. It has been assigned CVE-2024-3400 and is covered in this Palo Alto Networks advisory security.paloaltonetworks.com/CVE-2024-3400

Our latest blog post details Volexity's identification & incident response associated with the Palo Alto Networks GlobalProtect #0day vuln, assigned CVE-2024-3400, that the team found being exploited in the wild. Read more here: volexity.com/blog/2024/04/1… #DFIR #ThreatIntel

Details on 0day exploitation of CVE-2024-3400 by UTA0218. Post exploitation activity led to custom Python backdoor, UPSTYLE. Very impressive and speedy work by the team to get this out within a few days of initial observation. It's been a crazy week!

Evidence of exploitation and post-exploitation activity for #CVE20243400 can be found in log files on the FW in these locations: /var/log/pan/gpsvc.log /var/log/pan/md_out.log /var/log/pan/device_telemetry_send.log /var/log/syslog-system.log /var/log/pan/mp-monitor.log

.Volexity shares new observations following its discovery of CVE-2024-3400 + #0day exploitation of the GlobalProtect feature in Palo Alto Networks firewalls and offers guidance for detecting compromise. More here: volexity.com/blog/2024/05/1… #dfir #threatintel #memoryforensics

💀

We released a blogpost concerning #StromBamboo (aka Evasive Panda). @volexity was involved in an incident where the attackers compromised an ISP to poison the customers' DNS requests to hijack software updates (using the HTTP protocol): volexity.com/blog/2024/08/0… 1/3

🆕🚨 New analysis from Google TAG on suspected APT29 waterholes against 🇲🇳 gov. n-day exploits targeting iOS and Android we first observed in use from commercial surveillance vendors🫢 more details in the blog! awesome work from clem1 and team🤝 blog.google/threat-analysi…

There are several opportunities coming up to hear some outstanding talks given by members of Volexity’s R&D and #threatintel teams! We’ve compiled a list of who and where: 1/8

On October 3, Paul Rascagneres (Paul Rascagnères) & Charlie Gardner (Charlie Gardner) will co-present “The deck is stacked: analysis of OracleBamboo's SPYDEALER Android backdoor” at the Virus Bulletin Conference (virusbulletin.com/conference/vb2…) 4/8

.Volexity is looking for a new Threat Detection & Response analyst in the USA (remote) to join our growing team. Join us to work on some rather interesting cases 😃 volexity.com/company/career…

tlansec volatility And here is another opportunity to hear a talk from Volexity at #FTSCon on October 21: Steven Adair (Steven Adair) and Sean Koessel (5ck ) will present "The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access" x.com/volatility/sta…

We are hiring! Come join Volexity's Threat Detection team. This is a SOC-type role with purview across our customers to identify suspicious & malicious activity using our telemetry across network, EDR/AV, email, logs & more! Take a look! volexity.com/company/career…

Today, Volexity released GoResolver, open-source tooling to assist reverse engineers with obfuscated Golang samples. Paul Rascagnères & Killian Raimbaud presented details at INCYBER Forum earlier today. Learn how GoResolver works + where to download it: volexity.com/blog/2025/04/0… #dfir