What's new

Suspicious MCP Activities: Introduced a new analytic story focused on detecting abuse of authorized Model Context Protocol (MCP) server deployments, where legitimate AI tool integrations (filesystem, database, API, and cloud operations) may be weaponized for data exfiltration, privilege escalation, lateral movement, or persistence. This release includes a new MCP Technology Add-on (TA) for parsing MCP server telemetry and adds detections such as MCP Sensitive System File Search, MCP Prompt Injection, MCP Postgres Suspicious Query, MCP GitHub Suspicious Operation, and MCP Filesystem Server Suspicious Extension Write, providing visibility into malicious tool invocation patterns, abnormal data access, and AI-driven attack chains leveraging trusted automation infrastructure.

DynoWiper and ZOVWiper (Sandworm Destructive Operations):: Expanded coverage for the destructive malware families DynoWiper and ZOVWiper, attributed to the Russia-aligned threat group Sandworm, by tagging existing endpoint analytics aligned to their file-overwrite, drive enumeration, and system reboot behaviors. These wipers target critical infrastructure and financial sectors, systematically overwriting data across fixed and removable drives while selectively skipping system directories to maximize operational impact. By mapping current detections to known Sandworm tradecraft, this update strengthens visibility into destructive file modification patterns, large-scale overwrite activity, and pre-reboot execution behaviors associated with modern wiper deployments.

SolarWinds Web Help Desk RCE (CVE-2025-26399) Post-Exploitation: Tagged existing analytics to enhance visibility into post-exploitation activity following SolarWinds WHD remote code execution, focusing on suspicious process spawning, privilege escalation, lateral movement, persistence mechanisms, and outbound command-and-control behavior originating from compromised Web Help Desk services.