Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Arctic Wolf

Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software

Dec 12, 2024 By Stefan Hostetler, Julian Tuin, Aaron Diaz, Jon Grimm, and Cole Bosma In Arctic Wolf
In December 2024, Arctic Wolf Labs observed a mass exploitation campaign involving Cleo Managed File Transfer (MFT) products for initial access. The execution chain involved an obfuscated PowerShell stager, a Java loader, and ultimately a Java-based backdoor, which we will refer to as Cleopatra. In this article we will provide insight into the execution chain in this campaign, obfuscated malicious payloads deployed, and surrounding threat intelligence context around these activities.
Read Post
Arctic Wolf

Cleo Releases Patches for Cleo MFT Zero-day Vulnerability

Dec 12, 2024 By Andres Ramos In Arctic Wolf
On December 11, 2024, Cleo released patches addressing the zero-day vulnerability recently observed in attacks targeting Cleo Managed File Transfer (MFT) products. This vulnerability allowed unauthenticated threat actors to import and execute arbitrary shell commands on Windows and Linux on affected devices by exploiting default settings of the Autorun directory. The fix is included in version 5.8.0.24, and is now available for Cleo Harmony, VLTrader, and Lexicom.
Read Post
Arctic Wolf

Ivanti Patches Multiple Critical-Severity Vulnerabilities in Cloud Services Application

Dec 11, 2024 By Steven Campbell In Arctic Wolf
On December 10, 2024, Ivanti released updates for three critical-severity vulnerabilities impacting their Cloud Services Application. By chaining the vulnerabilities together, a threat actor could obtain administrative privileges via authentication bypass (CVE-2024-11639), which could then allow for remote code execution (CVE-2024-11172) and/or SQL injection (CVE-2024-11173).
Read Post
Arctic Wolf

Arctic Wolf Labs Observes Threat Campaign Targeting Cleo MFT Products - Remediation Guidance

Dec 10, 2024 By Andres Ramos In Arctic Wolf
Update: Dec 11, 2024. Find the latest information in our follow-up security bulletin. On December 7, 2024, Arctic Wolf began observing a novel campaign exploiting Cleo Managed File Transfer (MFT) products across several customer environments. Initial indications of malicious activity in this campaign were identified as early as October 19, with a sharp increase in early December.
Read Post
Arctic Wolf

CVE-2024-42448: Veeam Discloses Critical RCE Vulnerability in Service Provider Console

Dec 3, 2024 By Andres Ramos In Arctic Wolf
On December 3, 2024, Veeam disclosed a critical vulnerability within the Veeam Service Provider Console (VSPC), tracked as CVE-2024-42448, which was discovered during internal testing. VSPC is a management tool designed for service providers to manage customer backups. The vulnerability allows a remote threat actor to perform Remote Code Execution (RCE) on the VSPC server machine from an authorized VSPC management agent machine.
Read Post
Arctic Wolf

Arctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices

Nov 22, 2024 By Julian Tuin, Stefan Hostetler, Jon Grimm, Aaron Diaz, and Trevor Daher In Arctic Wolf
On November 18, 2024, Palo Alto Networks disclosed the existence of two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in Palo Alto Networks OS (PAN-OS), the operating system used on their firewall devices. A day later, watchTowr released a report providing technical details on how to chain the two vulnerabilities together to achieve remote code execution of these vulnerabilities.
Read Post

Copyright © 2026 OpsMatters™. All rights reserved.