Posts tagged ‘Threat Intelligence’

MITRE ATT&CK vs. MITRE ATLAS: Two Frameworks, One Expanding Threat Landscape

I have been in cyber security for over 25 years. And I have done my fair share of penetration testing/offensive security and I am quite familiar with the MITRE ATT&CK framework. Not long ago, I had the chance to dig into AI offensive security techniques hands-on. I assumed we would use the standard Kali-style hacking tools and follow the usual TTPs. I was wrong. We never fired up a Kali Linux instance or used a single tool from the past 30+ years. Instead, we learned how to trick the LLM into giving us information it was not supposed to. For…

Read More
Industry Insights May 13, 2026

CVE-2026-41940: Inside the cPanel/WHM Authentication Bypass

Introduction Hosting control panels operate with near-total authority over a server: websites, databases, DNS, email, and the account lifecycle are all driven from one place. That privilege makes them a high-value target—when a control-plane bug appears, compromise can extend far beyond a single site. CVE-2026-41940 is a pre-authentication bypass affecting WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared). In practical terms, it lets a remote, unauthenticated attacker reach administrator-level control without supplying valid credentials. Background: What Is cPanel/WHM? cPanel is a widely deployed, Linux-based hosting panel. WHM is the higher-privileged layer used by resellers and server administrators to…

Read More
Industry Insights May 11, 2026

The Ghost in the Leased Line: Unmasking MuddyWater, Surgical Cyber Arm

In the high-stakes theater of global geopolitics, the most effective weapons aren’t always missiles; sometimes, they are just few lines of code.

Read More
Industry Insights Apr 2, 2026

Identity Is the New Perimeter. Stryker Just Taught Us That the Hard Way.

A story on how an Iran-linked group wiped tens of thousands of Stryker’s devices A nation-state attack that changes every assumption we had For years, we have treated nation-state threats as a “Tier 1” problem — something reserved for defense contractors and the energy grid. The March 2026 attack on Stryker Corporation by Iran-linked group Handala officially kills that assumption. On March 11, 2026, Stryker’s corporate Microsoft environment was hit. Employees arrived to find their managed devices wiped out overnight through entirely legitimate Intune commands. Handala claimed 200,000+ systems affected; independent reporting confirms that tens of thousands were impacted. Stryker’s…

Read More
Industry Insights Mar 31, 2026

What is Workspace Security?

“What Is Workspace Security? Learn how Workspace Security, operating within the broader Secure Access Service Edge (SASE) framework, unites advanced security and networking technologies to safeguard users, devices, applications, and data. From enabling Zero Trust principles to incorporating tools like SWG, CASB, ZTNA, DLP, and DEM, explore how Workspace Security helps organizations protect distributed workforces while enabling productivity and collaboration. Discover why Versa is a leader in SASE innovation for modern enterprises.

Read More
Product & Engineering Mar 26, 2026

Securing the Modern Browser: How Versa Remote Browser Isolation Protects an AI-Driven Workforce

Remote Browser Isolation (RBI) is a critical defense against zero-day threats, data loss, and unmanaged device risk. Learn how Versa RBI integrates natively with Unified SASE to secure the browser across your enterprise.

Read More
AI Thought Leadership Feb 27, 2026

AI-Generated Malware Like VoidLink: Why Architecture, Not Hype, Is the Real Defense — and How Versa SASE Delivers It

Recent reporting on VoidLink, a Linux malware framework reportedly developed almost entirely with the assistance of generative AI, marks a structural shift in the threat landscape. According to coverage in CSO Online, VoidLink’s development cycle, code organization, and modular design strongly suggest AI-assisted creation — compressing what historically required months of coordinated engineering into days of automated iteration. This is where Versa SASE, combined with GenAI usage controls, provides a grounded and enforceable defensive posture.

Read More
Research Lab Feb 5, 2026

BrickStorm Malware: Anatomy of a Stealth Linux Backdoor Targeting Modern Infrastructure

BrickStorm is a highly stealthy Linux backdoor designed for long-term, targeted cyber-espionage. Brickstorm is closely associated with Cyber Espionage group UNC5221, which is known for exploiting zero-days vulnerability in network edge appliances like Ivanti, F5 and MiTRE breach. Unlike commodity malware, BrickStorm is deployed post-compromise, operates largely in memory, and uses a modular architecture with custom encrypted command-and-control (C2). Its focus on Linux servers, network appliances, and embedded systems reflects a broader trend: attackers increasingly target infrastructure layers where visibility and detection are weakest.

Read More
Research Lab Dec 16, 2025

React2Shell Vulnerability

React2Shell Remote Code Execution in React Server Components Vulnerability The bug dubbed as React2Shell, comprising two CVE’s, mainly CVE-2025-55182 and CVE-2025-66478, allows remote unauthenticated users to gain code execution on servers running vulnerable versions of React RSC or Next.JS App Router via single HTTP request. MITRE Tactic ID Technique Name Initial Access T1109 Exploit Public-Facing Application Execution T1059 Command and Scripting Interpreter Persistence T1505.003 Server Software Component: Web Shell Privilege Escalation T1068 Exploitation for Privilege Escalation Defense Evasion T1070.004 Indicator Removal on Host: File Deletion Next.js now powers a massive share of the modern web — millions of production sites,…

Read More
Company Updates Dec 4, 2025

Achieve Zero Blind Spots with Versa’s Complete Branch Security that Protects Guest Wi-Fi and Beyond 

Branches are surging back in prominence as hubs for users, applications, and a rapidly expanding IoT ecosystem. In this new branch paradigm, Guest Wi-Fi is no longer a convenience. It’s a non-negotiable requirement across retail, healthcare, hospitality, financial services, and much more. Unfortunately, this shift introduces a new mix of unpredictable user behavior, diverse applications, and thousands of devices to the branch infrastructure. This dramatically increases bandwidth demands and expands the attack surface where guest devices can bring malicious files, launch DNS-based threats, enable data exfiltration, or open compliance and privacy gaps. Industry research shows 70% of performance degradation and…

Read More

Defense Against Web Threats in the Modern Era

Amelie Sutsakhan
By Amelie Sutsakhan
Product Marketing Manager, Versa Networks
April 20, 2021

Cyberattacks have been ranked as the fastest growing crime in the US. Secure Web Gateway (SWG), one of the five components of Secure Access Service Edge (SASE) is key to protecting users from web-based threats while applying and enforcing security policies consistently.

Detect Zero-Day Exploits in Microsoft’s Exchange Server

Versa Threat Research Lab
By Versa Threat Research Lab
Versa Networks
March 9, 2021

Last week, Microsoft released an important blog that details that details how HAFNIUM, a state-sponsored threat actor operating out of China, exploited Microsoft Exchange Servers with zero-day exploits along with other code execution vulnerabilities in the Sharepoint software. Microsoft advises that these patches are only intended to be a temporary fix. Customers are still required to update their software to the latest version and apply any relevant security patches to their server.

Unpacking the SolarWinds Supply Chain Attack

Jayesh Gangadas Patel
By Jayesh Gangadas Patel
Principle Threat Researcher, Versa Networks
January 12, 2021

The SolarWinds attack leaves many unanswered questions and the most prominent amongst them is the question of how the attacker entered internal systems of SolarWinds network and was able to infiltrate and move inconspicuously across the development chain. The malware was able to camouflage its activity among the highly secure network of the prominent organization for an extended period of time, evading all their security detection and prevention defenses. In this particular blog, our team will mainly focus on the chain of events that occurred, and the evasive methods employed to remain completely stealthy despite moving around and compromising a highly secure network environment.

SUPERNOVA: the Invisible Explosion That Caught the Industry Off Guard

Winny Thomas
By Winny Thomas
Principal Security Architect
December 29, 2020

On December 13, 2020, FireEye reported a global campaign that targeted a large sector of industries by threat actors who inserted malicious code within a software component used by the popular network management software SolarWinds. It is not yet known how the threat actors managed to gain access to the development environment in which they added and distributed this malicious code as part of an update to the software. This trojanized version of the dynamic-link library (DLL) has been given the name ‘Sunburst’ by FireEye. Surprisingly enough, researchers have found evidence of the presence of a second backdoor in the SolarWinds product.

The NSA’s Top 25 Most Exploited Vulnerabilities

Winny Thomas
By Winny Thomas
Principal Security Architect
December 23, 2020

The National Security Agency published a list of 25 CVEs (Common Vulnerabilities and Exposures) that were most exploited by threat actors in recent times. Some of these CVE’s were used to deliver malicious software that allowed monitoring remote networks, maintaining continued access to remote networks, and, in some cases, using these CVEs to pivot to other systems within the internal network. For example, CVE-2019-11510 was used to gain access to sensitive VPN information of user accounts and then use the credentials to deliver ransomware like Sodinokibi. Similarly, CVE-2019-0803 was used to establish a backdoor to gain and maintain access to…

The SolarWinds Hack: Understanding SolarStorm’s SUNBURST Backdoor

Jayesh Gangadas Patel
By Jayesh Gangadas Patel
Principle Threat Researcher, Versa Networks
December 21, 2020

FireEye recently provided information about the widespread attack campaign registered against components of the SolarWinds Orion platform. The SolarWinds Orion platform has a huge customer base of 300,000 clients and issued this advisory on Sunday, December 20th. In this blog post, we will focus on answering specific questions that organizations may have regarding the Solarwinds attack.

Emotet: The Silent, Pervasive Villain / The Return of Emotet: Time to Watch Out

The Versa Team
By The Versa Team
Universal SASE leaders
April 23, 2020

After several weeks of quiet, especially during the Christmas holidays, the Emotet malware bot is up and running again, and it seems stronger and smarter. Several IT security firms have reported seeing phishing emails delivering Emotet via malicious Word documents and even delayed holiday e-greetings. Cyber-attackers using Emotet seem to have used this brief hiatus to improve the malware’s social engineering abilities, with almost a fourth of infected emails being sent as replies to existing email threads. Designed initially as a banking malware, the Emotet Trojan was first identified by security researchers in 2014. The malware delivery botnet spreads itself…

CVE-2020-0796 – A Potential SMB Attack in the Horizon

Winny Thomas
By Winny Thomas
Principal Security Architect
April 15, 2020

Server Message Block or SMB is a protocol used extensively by windows. It allows windows computers to communicate, locate file servers, locate and communicate with windows networks services and even communicate with other operating systems that understand the SMB protocol. The latest version of SMB is SMB version 3 which is affected. Over the years numerous vulnerabilities were discovered in the protocol which were actively exploited and used by malware authors to build ransomware, cryptominers, SCADA malware etc. MS08-067 saw the rise of the Conficker worm, MS10-061 was used by the infamous Stuxnet malware and MS17-061 was used by ransomware’s…

COVID-19 Ransomware Analysis

Winny Thomas
By Winny Thomas
Principal Security Architect
April 9, 2020

Versa Security Lab recently analyzed couple of malware samples which arrives on a computer through phishing emails containing documents with embedded link which eventually leads to the download of the malware. Some of these may arrive through websites pretending to provide information on the recent Corona virus outbreak. The past few months have seen several malicious webservers and domains being set up, purportedly serving information on the Covid-19 virus outbreak. Most of these sites are hosts to ransomware and other malware types. In this blog we are going to look at one sample which encrypts files contents and updates the…

New Report Reveals Top 10 Cryptomining Malware for 2018

The Versa Team
By The Versa Team
Universal SASE leaders
December 17, 2018

Disruptive technologies, like blockchain, usher in new market opportunities, like cryptomining.  Whenever there is a growing trend, with the potential for financial gain, cyber criminals will invariably find ways to disrupt and distort these markets. Cryptomining is highly compute-intensive, using computer resources, such as CPU cycles, to mine “cryptocurrency”. Miners are paid for solving CPU intensive cryptographic challenges that validate each block of a transaction added to a cryptocurrency’s blockchain. They are paid a certain amount of cryptocurrency into their cryptocurrency wallet as commission for validating a transaction. . Anywhere there is a profit to be made, capable people will…


Recent Posts













Gartner Research Report

2025 Gartner® Magic Quadrant™ for SASE Platforms

Versa has for the third consecutive year been recognized in the Gartner Magic Quadrant for SASE Platforms and is one of 11 vendors included in this year's report.