On January 14, 2025, the CERT Coordination Center (CERT/CC) published a security advisory detailing multiple vulnerabilities impacting Rsync. The most severe vulnerability is CVE-2024-12084, a critical severity heap buffer overflow vulnerability in the Rsync daemon which can lead to out-of-bounds writes in the buffer.

On January 14, 2025, Fortinet published a security advisory for CVE-2024-55591, an authentication bypass using an alternate path or channel vulnerability in FortiOS and FortiProxy. A remote threat actor can craft requests to the Node.js websocket module to gain super-admin privileges.

In the spring of 2024, the FBI warned U.S citizens of a spear phishing campaign by state-sponsored North Korean threat actors.

On January 13, 2025, Halcyon released a research blog about the Codefinger group conducting a ransomware campaign targeting Amazon S3 buckets. The attacks leverage AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data. The threat actors then demand ransom payments for the symmetric AES-256 keys required to decrypt it.

In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync.

On January 8, 2025, Ivanti published a security advisory announcing the patching of a critical, actively exploited vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Tracked as CVE-2025-0282, the vulnerability allows remote unauthenticated threat actors to achieve remote code execution (RCE) via a stack-based buffer overflow flaw. Ivanti confirmed that exploitation has only been observed in Connect Secure, and no exploitation has been reported in Policy Secure or ZTA Gateways.

Through a known vulnerability, a threat actor gains access to an organization and begins to alter the network activity, running unusual enumeration commands. Then the threat actor uses stolen credentials to log into various applications within said network. The cybersecurity monitoring solution at work, in this case Arctic Wolf Managed Detection and Response, subsequently picks up an IP address associated with Finland connecting to the network.