APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.[10][11]
APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.[12][13]
APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central through unsafe deserialization, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[15] APT41 leveraged vulnerabilities such as ProxyLogon exploitation or SQL injection for initial access.[16]
APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.[17][18][19] [20]
Axiom has been observed using SQL injection to gain access to systems.[21][22]
BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers.[23]
BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[24]
Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.[25]
During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.[26]
During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.[27]
During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[28]
Cinnamon Tempest has exploited multiple unpatched vulnerabilities for initial access including vulnerabilities in Microsoft Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j.[29][30][31][32]
COATHANGER is installed following exploitation of a vulnerable FortiGate device. [33]
During Cutting Edge, threat actors exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN appliances to enable authentication bypass and command injection. A server-side request forgery (SSRF) vulnerability, CVE-2024-21893, was identified later and used to bypass mitigations for the initial two vulnerabilities by chaining with CVE-2024-21887.[34][35][36][37][38]
Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.[39]
Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.[40]
FIN13 has exploited known vulnerabilities such as CVE-2017-1000486 (Primefaces Application Expression Language Injection), CVE-2015-7450 (WebSphere Application Server SOAP Deserialization Exploit), CVE-2010-5326 (SAP NewWeaver Invoker Servlet Exploit), and EDB-ID-24963 (SAP NetWeaver ConfigServlet Remote Code Execution) to gain initial access.[41][42]
FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange.[29]
Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.[43][44][45][46][47]
GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.[48][49]
GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.[50]
HAFNIUM has exploited CVE-2021-44228 in Log4j and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server.[51][52][53][54][30]
Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.[56]
Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.[57]
Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379).[58][59][60][61][62][30]
menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.[63]
Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.[64]
MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).[65]
During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access.[66]
During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers.[67]
During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers.[68]
Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[69][70]
Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems.[71][72]
Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability.[73]
During the SolarWinds Compromise, APT29 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[74][12]
SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.[75]
sqlmap can be used to automate exploitation of SQL injection vulnerabilities.[76]
Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.[77]
ToddyCat has exploited the ProxyLogon vulnerability (CVE-2021-26855) to compromise Exchange Servers at multiple organizations.[78]
Volatile Cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery.[79] [80]
Volt Typhoon gained initial access through exploitation of CVE-2021-40539 in internet-facing ManageEngine ADSelfService Plus servers.[81]
ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.[82]