Research Lab
BrickStorm Malware: Anatomy of a Stealth Linux Backdoor Targeting Modern Infrastructure
BrickStorm is a highly stealthy Linux backdoor designed for long-term, targeted cyber-espionage. Brickstorm is closely associated with Cyber Espionage group UNC5221, which is known for exploiting zero-days vulnerability in network edge appliances like Ivanti, F5 and MiTRE breach. Unlike commodity malware, BrickStorm is deployed post-compromise, operates largely in memory, and uses a modular architecture with custom encrypted command-and-control (C2). Its focus on Linux servers, network appliances, and embedded systems reflects a broader trend: attackers increasingly target infrastructure layers where visibility and detection are weakest.
React2Shell Vulnerability
React2Shell Remote Code Execution in React Server Components Vulnerability The bug dubbed as React2Shell, comprising two CVE’s, mainly CVE-2025-55182 and CVE-2025-66478, allows remote unauthenticated users to gain code execution on servers running vulnerable versions of React RSC or Next.JS App Router via single HTTP request. MITRE Tactic ID Technique Name Initial Access T1109 Exploit Public-Facing Application Execution T1059 Command and Scripting Interpreter Persistence T1505.003 Server Software Component: Web Shell Privilege Escalation T1068 Exploitation for Privilege Escalation Defense Evasion T1070.004 Indicator Removal on Host: File Deletion Next.js now powers a massive share of the modern web — millions of production sites,…
Versa Threat Research Labs Spotlight – DeskRAT: TransparentTribe’s Latest Weapon for Targeted Espionage
TransparentTribe (also known as APT36), a state sponsored threat actor known for long running cyber espionage against defense and government sectors, has launched a new campaign leveraging a custom Remote Access Trojan (RAT) dubbed DeskRAT. This malware is distributed through phishing emails containing malicious attachments or links that deliver the payload to targeted systems.
Versa Security Bulletin: Update on CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability
A medium-severity vulnerability was discovered in Versa Director (CVE-2024-39717), and a patch has been released. Impacted customers failed to implement system hardening and firewall guidelines, leaving a management port exposed on the internet.
Versa Security Bulletin: Palo Alto Networks PAN-OS GlobalProtect Zero-Day Vulnerability under Active Exploitation
CVEs: CVE-2024-3400; Summary Recently Palo Alto Networks announced a critical vulnerability in their PAN-OS software used in their GlobalProtect VPN Gateway, which is a feature in the PAN-OS Firewall. The discovery and public disclosure of the vulnerability and fixes timeline is currently as follows: Volexity first discovered the PAN-OS attack on April 10, 2024 at one of its network security monitoring (NSM) customers, and on April 11, 2024 subsequently learnt that another NSM customer was compromised by the same threat actor. Palo Alto Networks was then notified by Volexity that a zero-day vulnerability in its GlobalProtect Gateway was under active…
Versa Security Bulletin: ConnectWise ScreenConnect Authentication Bypass and Path-Traversal Vulnerabilities
CVEs: CVE-2024-1708; CVE-2024-1709 Summary On Feb. 13, 2024, ConnectWise was notified of two vulnerabilities in their remote access tool ScreenConnect. On Feb. 19, 2024, ConnectWise publicly disclosed two new high severity and critical vulnerabilities patched in its remote access tool ScreenConnect Version 23.9.8, with the following CVEs: CVE-2024-1708 Path-Traversal vulnerability (CWE-22) and CVE-2024-1709 Authentication Bypass vulnerability (CWE-288). These vulnerabilities can be exploited to deliver Remote Access Trojans (RATs), Ransomware, Cryptocurrency miners, Stealer malware and many others. CVE Description CVSSv3 Severity CVE-2024- 1709 (CWE-288) Authentication Bypass Using Alternate Path or Channel 10.0 Critical CVE-2024- 1708 (CWE-22) Improper Limitation of a Pathname to…
Versa Security Bulletin: Volt Typhoon Exploitation of N-Day and Zero-Day Vulnerabilities
Summary This security bulletin focuses on understanding the sophisticated exploitation of critical n-day and zero-day vulnerabilities in VPN and other network devices by state-sponsored threat actors, reinforcing the urgency for organizations to prioritize patching vulnerabilities in appliances known to be targeted. The recent exploitation of the critical FortiOS vulnerability followed a disclosure by CISA and other federal agencies revealing that China-linked threat group Volt Typhoon has been known to exploit network appliances from several vendors including Fortinet. Fortinet released a blog post to coincide with the U.S. agencies’ advisory, which pointed to “the need for organizations to have a robust…
Versa Security Bulletin: Multiple Vulnerabilities Affecting Ivanti Connect Secure and Ivanti Policy Secure
CVEs: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893 Summary Recently, Ivanti Connect Secure appliances have faced active exploitation through a series of linked vulnerabilities of high or critical severity. On January 10, 2024, Ivanti disclosed two new vulnerabilities in its Ivanti Connect Secure and Ivanti Policy Secure gateways: CVE-2023-46805 (high severity authentication bypass vulnerability) and CVE-2024-21887 (critical severity command injection vulnerability).
Versa Security Bulletin: Okta Customer Support Security Incident
On October 20, 2023, Okta disclosed a security incident affecting their customer support management system. In a note following that disclosure Okta said that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers.
Versa Security Bulletin: Cisco IOS XE Web UI Privilege Escalation Vulnerability affecting upwards of 50k devices (patched)
Summary On October 16, 2023, Cisco reported two new vulnerabilities in the web UI for its Cisco IOS XE operating system that runs many of its routers and switches, CVE-2023-20198 and CVE-2023-20273. These vulnerabilities were initially being exploited by unknown hackers and affected more than 10,000 devices at the time of its first known existence. However, in the following days the attack was leveraged to affect more than 50,000 devices, and that’s when a free software fix was identified by Cisco to keep a check on devices. Cisco released the updated version 17.9.4a on October 23 to fix the issue….
Research Lab
Blackcat/ALPHV Ransomware and What To Do
By Versa Threat Research Lab
Versa Networks
April 27, 2022
The FBI, chief investigating agency of the U.S., has triggered an alert concluding that more than 60 organizations worldwide have been a victim of the sophisticated ransomware attack by Blackcat also known as ALPHV/Noberus. The ransomware first came to light when the investigation revealed it to be the first ransomware using the memory-safe programming language RUST, known for its improved performance. Many of the developers of Blackcat are linked with more popular ransomware groups Darkside and Blackmatter who large groups with the experience to carry out operations with a well-established network to support logistics. The advantage of using the RUST…
Research Lab
How Often Do Americans Snoop Online?
By The Versa Team
Universal SASE leaders
April 26, 2022
Whether it’s scouring social media feeds of professionals, family, friends, or strangers, curiosity fills our minds with questions about others we’d prefer not to ask. But how often?
Research Lab
Surveying American Business Owners on Data Breaches
By The Versa Team
Universal SASE leaders
March 16, 2022
Data breaches are on the rise, but are companies properly prepared for this growing threat? We surveyed 1,200 business owners to find out.
Research Lab
Detect Zero-Day Exploits in Microsoft’s Exchange Server
By Versa Threat Research Lab
Versa Networks
March 9, 2021
Last week, Microsoft released an important blog that details that details how HAFNIUM, a state-sponsored threat actor operating out of China, exploited Microsoft Exchange Servers with zero-day exploits along with other code execution vulnerabilities in the Sharepoint software. Microsoft advises that these patches are only intended to be a temporary fix. Customers are still required to update their software to the latest version and apply any relevant security patches to their server.
Research Lab
Unpacking the SolarWinds Supply Chain Attack
By Jayesh Gangadas Patel
Principle Threat Researcher, Versa Networks
January 12, 2021
The SolarWinds attack leaves many unanswered questions and the most prominent amongst them is the question of how the attacker entered internal systems of SolarWinds network and was able to infiltrate and move inconspicuously across the development chain. The malware was able to camouflage its activity among the highly secure network of the prominent organization for an extended period of time, evading all their security detection and prevention defenses. In this particular blog, our team will mainly focus on the chain of events that occurred, and the evasive methods employed to remain completely stealthy despite moving around and compromising a highly secure network environment.
Research Lab
SUPERNOVA: the Invisible Explosion That Caught the Industry Off Guard
By Winny Thomas
Principal Security Architect
December 29, 2020
On December 13, 2020, FireEye reported a global campaign that targeted a large sector of industries by threat actors who inserted malicious code within a software component used by the popular network management software SolarWinds. It is not yet known how the threat actors managed to gain access to the development environment in which they added and distributed this malicious code as part of an update to the software. This trojanized version of the dynamic-link library (DLL) has been given the name ‘Sunburst’ by FireEye. Surprisingly enough, researchers have found evidence of the presence of a second backdoor in the SolarWinds product.
Research Lab
The NSA’s Top 25 Most Exploited Vulnerabilities
By Winny Thomas
Principal Security Architect
December 23, 2020
The National Security Agency published a list of 25 CVEs (Common Vulnerabilities and Exposures) that were most exploited by threat actors in recent times. Some of these CVE’s were used to deliver malicious software that allowed monitoring remote networks, maintaining continued access to remote networks, and, in some cases, using these CVEs to pivot to other systems within the internal network. For example, CVE-2019-11510 was used to gain access to sensitive VPN information of user accounts and then use the credentials to deliver ransomware like Sodinokibi. Similarly, CVE-2019-0803 was used to establish a backdoor to gain and maintain access to…
Research Lab
The SolarWinds Hack: Understanding SolarStorm’s SUNBURST Backdoor
By Jayesh Gangadas Patel
Principle Threat Researcher, Versa Networks
December 21, 2020
FireEye recently provided information about the widespread attack campaign registered against components of the SolarWinds Orion platform. The SolarWinds Orion platform has a huge customer base of 300,000 clients and issued this advisory on Sunday, December 20th. In this blog post, we will focus on answering specific questions that organizations may have regarding the Solarwinds attack.
Research Lab
Emotet: The Silent, Pervasive Villain / The Return of Emotet: Time to Watch Out
By The Versa Team
Universal SASE leaders
April 23, 2020
After several weeks of quiet, especially during the Christmas holidays, the Emotet malware bot is up and running again, and it seems stronger and smarter. Several IT security firms have reported seeing phishing emails delivering Emotet via malicious Word documents and even delayed holiday e-greetings. Cyber-attackers using Emotet seem to have used this brief hiatus to improve the malware’s social engineering abilities, with almost a fourth of infected emails being sent as replies to existing email threads. Designed initially as a banking malware, the Emotet Trojan was first identified by security researchers in 2014. The malware delivery botnet spreads itself…
Research Lab
CVE-2020-0796 – A Potential SMB Attack in the Horizon
By Winny Thomas
Principal Security Architect
April 15, 2020
Server Message Block or SMB is a protocol used extensively by windows. It allows windows computers to communicate, locate file servers, locate and communicate with windows networks services and even communicate with other operating systems that understand the SMB protocol. The latest version of SMB is SMB version 3 which is affected. Over the years numerous vulnerabilities were discovered in the protocol which were actively exploited and used by malware authors to build ransomware, cryptominers, SCADA malware etc. MS08-067 saw the rise of the Conficker worm, MS10-061 was used by the infamous Stuxnet malware and MS17-061 was used by ransomware’s…
Subscribe to the Versa Blog
Recent Posts
