Ioc

Investigating an in-the-wild campaign using RCE in CraftCMS

18 April 2025 ~26 min By Nicolas Bourras
Analysis Craft Cms Incident Response Ioc Malware Php Post-Exploitation Threat Hunting Yii Iocs Post Exploitation
Introduction In mid-February, Orange Cyberdefense’s CSIRT was tasked with investigating a server that had been hosting a now-unavailable website. The site had been built using CraftCMS running version 4.12.8. The forensic investigation and post-analysis with the Ethical Hacking team led to the discovery of two CVEs: CVE-2024-58136 and CVE-2025-32432. This blog post aims to present: The investigation that led to the finding of those two CVEs, and details of the different IOCs found during the analysis. The technical details of both CVEs, explaining how the Craft CMS was vulnerable through the Yii Framewrork. An assessment of the vulnerable assets online. I. Forensic investigation TL;DR On the 14th of February, a threat actor compromised a web server using CVE-2025-32432. The threat actor used it to download a file manager written in PHP on the server which was later used to upload other PHP files to the server. The rest of this section will cover the following points:

Waiting for goDoH

24 October 2018 ~9 min By Leon Jacobs
Bypass Command Execution Dns Experiment Ioc Malware Research Tools Tunnelling
or DNS exfiltration over DNS over HTTPS (DoH) with godoh “Exfiltration Over Alternate Protocol” techniques such as using the Domain Name System as a covert communication channel for data exfiltration is not a new concept. We’ve used the technique for many years at SensePost, including Haroon & Marco’s 2007 BH/DC talk on Squeeza. In the present age this is a well understood topic, at least amongst Infosec folks, with a large number of resources, available, online that aim to enlighten those that may not be familiar with the concept. There are also practical techniques for detecting DNS Tunnelling on your network.