The volatility Team will be hosting a four day training + one day conference on Volatility 3 this October in D.C. This is your chance to learn Volatility 3 directly from the core team plus learn about cutting edge malware analysis and threat intel!

volatilityfoundation.org/the-2023-volat…

You can read the details of our investigation concerning the CVE-2024-3400 on our blog post: volexity.com/blog/2024/04/1…. It covers the backdoor (UPSTYLE) and also the post exploitation. #PaloAlto 1/4

Our blog with details on the exploitation of CVE-2024-3400 is up! An incredibly fast turn around from our detecting a breach to smashing threat actor capabilities. Huge shout out to our Volexity team and our awesome customers & a great response from the Palo Alto Networks team.

Volexity Palo Alto Networks We have seen limited exploitation but impact at multiple customers. We first detected this just two days ago. Impressive response from the Palo Alto Networks team, as they quickly worked with us and have now pushed a Threat Protection signature with a fix to come April 14.

Our team at Volexity has identified a new 0day exploited in the wild. This time we caught a threat actor using an unauthenticated RCE in Palo Alto Networks GlobalProtect. It has been assigned CVE-2024-3400 and is covered in this Palo Alto Networks advisory security.paloaltonetworks.com/CVE-2024-3400

We are also excited to announce in-person Malware & Memory Forensics Training on #Volatility3 is coming October 2024!

AND the volatility Foundation is hosting a one-day summit in conjunction with the training!

See details in the Contest Results post: volatilityfoundation.org/the-2023-volat…

Roses are red, violets are blue... install my VPN, so I can pwn you.

volexity.com/blog/2024/02/1…

CharmingCypress are a persistent and creative threat actor. We regularly see them aggressively target those involved in policy, journalism, and activism relating to Iran. They recently went as far as building a fake webinar platform accessible only from an attacker-controlled VPN

.Volexity consistently observes Iranian #apt group CharmingCypress innovate ways to persistently pursue targets. This blog reviews the group's phishing tactics & malware + investigates an attack with Volexity Volcano: volexity.com/blog/2024/02/1…

#dfir #threatintel #memoryforensics

In this blog post, Michael Ligh (MHL) + Andrew Case break down how Volexity used #memoryforensics to discover two #0days being chained together to achieve unauthenticated remote code execution in Ivanti Connect Secure VPN devices. More details here: volexity.com/blog/2024/02/0…

#dfir #threatintel

.Volexity shares new observations on cont'd widespread exploitation of Ivanti Connect Secure VPN vulnerabilities. Now, 2100+ compromised devices & UTA0178 observed modifying built-in Integrity Checker Tool to evade detection. Details: volexity.com/blog/2024/01/1…

#dfir #threatintel

.Volexity provides an update on its Ivanti Connect Secure VPN report concerning chained exploitation of CVE-2024-21887/CVE-2023-46805. Based on new data, 1700+ devices have been compromised following widespread exploitation. Details: volexity.com/blog/2024/01/1…

#dfir #threatintel