Research Lab
BrickStorm Malware: Anatomy of a Stealth Linux Backdoor Targeting Modern Infrastructure
BrickStorm is a highly stealthy Linux backdoor designed for long-term, targeted cyber-espionage. Brickstorm is closely associated with Cyber Espionage group UNC5221, which is known for exploiting zero-days vulnerability in network edge appliances like Ivanti, F5 and MiTRE breach. Unlike commodity malware, BrickStorm is deployed post-compromise, operates largely in memory, and uses a modular architecture with custom encrypted command-and-control (C2). Its focus on Linux servers, network appliances, and embedded systems reflects a broader trend: attackers increasingly target infrastructure layers where visibility and detection are weakest.
React2Shell Vulnerability
React2Shell Remote Code Execution in React Server Components Vulnerability The bug dubbed as React2Shell, comprising two CVE’s, mainly CVE-2025-55182 and CVE-2025-66478, allows remote unauthenticated users to gain code execution on servers running vulnerable versions of React RSC or Next.JS App Router via single HTTP request. MITRE Tactic ID Technique Name Initial Access T1109 Exploit Public-Facing Application Execution T1059 Command and Scripting Interpreter Persistence T1505.003 Server Software Component: Web Shell Privilege Escalation T1068 Exploitation for Privilege Escalation Defense Evasion T1070.004 Indicator Removal on Host: File Deletion Next.js now powers a massive share of the modern web — millions of production sites,…
Versa Threat Research Labs Spotlight – DeskRAT: TransparentTribe’s Latest Weapon for Targeted Espionage
TransparentTribe (also known as APT36), a state sponsored threat actor known for long running cyber espionage against defense and government sectors, has launched a new campaign leveraging a custom Remote Access Trojan (RAT) dubbed DeskRAT. This malware is distributed through phishing emails containing malicious attachments or links that deliver the payload to targeted systems.
Versa Security Bulletin: Update on CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability
A medium-severity vulnerability was discovered in Versa Director (CVE-2024-39717), and a patch has been released. Impacted customers failed to implement system hardening and firewall guidelines, leaving a management port exposed on the internet.
Versa Security Bulletin: Palo Alto Networks PAN-OS GlobalProtect Zero-Day Vulnerability under Active Exploitation
CVEs: CVE-2024-3400; Summary Recently Palo Alto Networks announced a critical vulnerability in their PAN-OS software used in their GlobalProtect VPN Gateway, which is a feature in the PAN-OS Firewall. The discovery and public disclosure of the vulnerability and fixes timeline is currently as follows: Volexity first discovered the PAN-OS attack on April 10, 2024 at one of its network security monitoring (NSM) customers, and on April 11, 2024 subsequently learnt that another NSM customer was compromised by the same threat actor. Palo Alto Networks was then notified by Volexity that a zero-day vulnerability in its GlobalProtect Gateway was under active…
Versa Security Bulletin: ConnectWise ScreenConnect Authentication Bypass and Path-Traversal Vulnerabilities
CVEs: CVE-2024-1708; CVE-2024-1709 Summary On Feb. 13, 2024, ConnectWise was notified of two vulnerabilities in their remote access tool ScreenConnect. On Feb. 19, 2024, ConnectWise publicly disclosed two new high severity and critical vulnerabilities patched in its remote access tool ScreenConnect Version 23.9.8, with the following CVEs: CVE-2024-1708 Path-Traversal vulnerability (CWE-22) and CVE-2024-1709 Authentication Bypass vulnerability (CWE-288). These vulnerabilities can be exploited to deliver Remote Access Trojans (RATs), Ransomware, Cryptocurrency miners, Stealer malware and many others. CVE Description CVSSv3 Severity CVE-2024- 1709 (CWE-288) Authentication Bypass Using Alternate Path or Channel 10.0 Critical CVE-2024- 1708 (CWE-22) Improper Limitation of a Pathname to…
Versa Security Bulletin: Volt Typhoon Exploitation of N-Day and Zero-Day Vulnerabilities
Summary This security bulletin focuses on understanding the sophisticated exploitation of critical n-day and zero-day vulnerabilities in VPN and other network devices by state-sponsored threat actors, reinforcing the urgency for organizations to prioritize patching vulnerabilities in appliances known to be targeted. The recent exploitation of the critical FortiOS vulnerability followed a disclosure by CISA and other federal agencies revealing that China-linked threat group Volt Typhoon has been known to exploit network appliances from several vendors including Fortinet. Fortinet released a blog post to coincide with the U.S. agencies’ advisory, which pointed to “the need for organizations to have a robust…
Versa Security Bulletin: Multiple Vulnerabilities Affecting Ivanti Connect Secure and Ivanti Policy Secure
CVEs: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893 Summary Recently, Ivanti Connect Secure appliances have faced active exploitation through a series of linked vulnerabilities of high or critical severity. On January 10, 2024, Ivanti disclosed two new vulnerabilities in its Ivanti Connect Secure and Ivanti Policy Secure gateways: CVE-2023-46805 (high severity authentication bypass vulnerability) and CVE-2024-21887 (critical severity command injection vulnerability).
Versa Security Bulletin: Okta Customer Support Security Incident
On October 20, 2023, Okta disclosed a security incident affecting their customer support management system. In a note following that disclosure Okta said that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers.
Versa Security Bulletin: Cisco IOS XE Web UI Privilege Escalation Vulnerability affecting upwards of 50k devices (patched)
Summary On October 16, 2023, Cisco reported two new vulnerabilities in the web UI for its Cisco IOS XE operating system that runs many of its routers and switches, CVE-2023-20198 and CVE-2023-20273. These vulnerabilities were initially being exploited by unknown hackers and affected more than 10,000 devices at the time of its first known existence. However, in the following days the attack was leveraged to affect more than 50,000 devices, and that’s when a free software fix was identified by Cisco to keep a check on devices. Cisco released the updated version 17.9.4a on October 23 to fix the issue….
Research Lab
COVID-19 Ransomware Analysis
By Winny Thomas
Principal Security Architect
April 9, 2020
Versa Security Lab recently analyzed couple of malware samples which arrives on a computer through phishing emails containing documents with embedded link which eventually leads to the download of the malware. Some of these may arrive through websites pretending to provide information on the recent Corona virus outbreak. The past few months have seen several malicious webservers and domains being set up, purportedly serving information on the Covid-19 virus outbreak. Most of these sites are hosts to ransomware and other malware types. In this blog we are going to look at one sample which encrypts files contents and updates the…
Research Lab
Internal Network Exposure via UPnP NAT Injection
By Winny Thomas
Principal Security Architect
December 5, 2018
Universal Plug-n-Play – (UPnP) is a suite of protocols that enables a device to discover other devices on a network, configure itself to operate in the network, and advertise its services. This allows a device to locate routers, printers and other resources on a network. UPnP runs on UDP port 1900 and communicates using SOAP messages over HTTP. The actual configuration and management interface are implemented using a SOAP-based HTTP service running over a dynamically allocated TCP port. The UPnP protocol allows management of aspects of a device’s operation to extend support by the protocol implementation on the device and its…
Research Lab
Fake Flash Updates Mine Monero Under the Hood
By The Versa Team
Universal SASE leaders
October 25, 2018
The recent surge in cryptomining is providing cyber criminals with more vectors to attack, at the expense of legitimate users. This year has seen a huge increase in the deployment of numerous malwares, with cryptominers as primary or secondary payloads. Cryptominers are becoming easy targets, that allow attackers to go a step further to disguise themselves as the miner in the form of a flash update. Palo Alto Networks reported a list of collected samples, some dating back to August 2018[1]. The author further adds that installers from the Adobe website were legitimate, and the malicious ones were mostly Windows…
Research Lab
Lateral Movement – Definition, Causes & Protection
By Winny Thomas
Principal Security Architect
October 5, 2018
Lateral Movement Definition: Lateral movement is a technique used by cyber attackers to infiltrate and move through a network with the intent of obtaining secure data. The Cause The term “Lateral Movement” has been around for a little over four years and was in the news when ransomware like WannaCry and APT’s like APT28 and APT29 used lateral movement techniques. Most often an attacker may not have direct access to a machine or resource on the internal network, which the attacker considers a prized trophy. The prized trophy may be the domain controller, a machine hosting confidential information, or the…
Research Lab
GandCrab Ransomware
By The Versa Team
Universal SASE leaders
October 4, 2018
Ransomware is a form of malicious software that latches onto a system and encrypts the files within it, making them inaccessible to the user. The attackers behind this malicious activity typically demand payment in terms of currency (crypto or cash) in return for the keys to decrypt the files. A recent ransomware which has become viral since January 2018 is named GandCrab. This ransomware is believed to be distributed as a Ransomware-as-a-Service [2,3]. GandCrab initially differentiated from other ransomware by demanding a ransom in DASH [7] cryptocurrency. The developers behind GandCrab have been continuously updating and releasing improved versions, with…
Research Lab
FIN7 — the New Avatar
By Winny Thomas
Principal Security Architect
November 2, 2017
Fin7 is a cybercrime group that employs spear phishing attacks to deliver malware that uses fileless malware techniques, sophisticated evasions and persistence. They mostly target the financial sector. In this blog, we are going to take a high-level look at one such sample seen in the wild, which employs several layers of obfuscated JScript, powershell and DLL embedded within a Microsoft Word document. The sample analyzed has the MD5 hash 29a3666cee0762fcd731fa663ebc0011. Through a series of deeply embedded base64 encoded scripts, obfuscated code and use of powershell, this strain achieves stealth and evasion. The document arrives as an email attachment in…
Research Lab
Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
By The Versa Team
Universal SASE leaders
October 18, 2017
Several Security Vulnerability have been patched in recently in Apache Tomcat. The list of fixed flaws recently addressed also included code execution vulnerabilities. Apache Tomcat is the most widely used web application server, with over one million downloads per month and over 70% penetration in the enterprise datacenter. The Apache Tomcat development team publicly disclosed the presence of a remote code execution vulnerability, tracked as CVE-2017-12617, affecting the popular web application server. The Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 are affected. The vulnerability is classified as “important” severity, has been…
Research Lab
Apache: Failed to Harden in 2017
By The Versa Team
Universal SASE leaders
October 10, 2017
Apache’s gaps has been in news for quite a while, and this has led to the massive milestone of Equifax being compromised to the tune of 143 million records. This has been a difficult year for Apache, with so many vulnerabilities being reported. Refer to the link for a list of Apache vulnerabilities reported in 2017. Though previous years also accounted for large chunks of Apache vulnerability, this year it has been in news for two particular vulnerabilities, CVE-2017-5638 (which led to the compromise of user data through the Equifax breach) and CVE-2017-9805 (due to the fact that the public…
Subscribe to the Versa Blog
Recent Posts
