Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On February 10, 2025, Bishop Fox published technical details and proof-of-concept (PoC) exploit code for CVE-2024-53704, a high-severity authentication bypass vulnerability caused by a flaw in the SSLVPN authentication mechanism in SonicOS, the operating system used by SonicWall firewalls. Shortly after the PoC was made public, Arctic Wolf began observing exploitation attempts of this vulnerability in the threat landscape.

Threat intelligence, also referred to as cyber threat intelligence (CTI), is evidence-based data that’s been collected from a variety of sources, processed, and analyzed to help both organizations and individuals understand recent cyber attacks as well as threat actors’ motivations, tactics, behaviors, and potential next steps.

Today, Arctic Wolf successfully completed the acquisition of BlackBerry’s Cylance endpoint security assets. With this acquisition, we are thrilled to welcome hundreds of new partners and thousands of customers to The Pack. Additionally, we are excited to welcome almost 400 new employees who will join Arctic Wolf offices around the globe.

On January 22, 2025, Arctic Wolf began observing a campaign involving unauthorized access to devices running SimpleHelp RMM software as an initial access vector. Roughly a week prior to the emergence of this campaign, several vulnerabilities had been publicly disclosed in SimpleHelp by Horizon3 (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728).

On January 22, 2025, SonicWall published a security advisory detailing an actively exploited remote command execution vulnerability in SMA1000 appliances. The critical-severity vulnerability, CVE-2025-23006, is a pre-authentication deserialization of untrusted data vulnerability that has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). If exploited, it could allow unauthenticated remote threat actors to execute arbitrary OS commands.

The business world has an identity security problem. Identity telemetry dominated Arctic Wolf’s list of the top 10 security investigation types over the past 12 months, and 70% of organizations were targeted by business email compromise (BEC), an attack that often relies on identity compromise for success, in 2024.

On January 14, 2025, the CERT Coordination Center (CERT/CC) published a security advisory detailing multiple vulnerabilities impacting Rsync. The most severe vulnerability is CVE-2024-12084, a critical severity heap buffer overflow vulnerability in the Rsync daemon which can lead to out-of-bounds writes in the buffer.

On January 14, 2025, Fortinet published a security advisory for CVE-2024-55591, an authentication bypass using an alternate path or channel vulnerability in FortiOS and FortiProxy. A remote threat actor can craft requests to the Node.js websocket module to gain super-admin privileges.

In the spring of 2024, the FBI warned U.S citizens of a spear phishing campaign by state-sponsored North Korean threat actors.

On January 13, 2025, Halcyon released a research blog about the Codefinger group conducting a ransomware campaign targeting Amazon S3 buckets. The attacks leverage AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data. The threat actors then demand ransom payments for the symmetric AES-256 keys required to decrypt it.