Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

If your organization is considering a threat detection solution, chances are good that you are wondering about EDR vs. MDR. The constant evolution of the cybersecurity marketplace can make it difficult for organizations to understand the differences and capabilities between different types of security offerings.

In a previous security bulletin sent by Arctic Wolf on April 17, 2025, we advised of a credential access campaign targeting SonicWall SMA devices along with remediation guidance. As of April 29, 2025, SonicWall has updated their advisories for several vulnerabilities that are now linked to ongoing exploitation in the threat landscape.

In the summer of 2024, a Russian ransomware gang launched an attack on a UK pathology services provider. However, the group didn’t just encrypt the organization’s data and demand a ransom. It exfiltrated data from more than 300 million patient interactions with the National Health Service (NHS), and when the victim organization refused to pay the hefty ransom, the group released all the stolen data on the dark web.

The best security outcomes come from the intersection of security expertise and the ability to act based on risk levels. At Arctic Wolf, we are laser focused on security outcomes for the security leaders and teams across our solutions — Arctic Wolf Managed Detection and Response (MDR), Aurora Endpoint Security, Arctic Wolf Managed Risk, Arctic Wolf Managed Security Awareness , Arctic Wolf Incident Response, as well as risk transfer with the Arctic Wolf Security Operations Warranty.

The world of cybersecurity doesn’t lack for acronyms. Whether it’s protocols and standards or tools and technology, the market is dominated by an endless array of capital letters.

On April 24, 2025, SAP released fixes for CVE-2025-31324, a maximum-severity zero-day unrestricted file upload vulnerability in the NetWeaver Visual Composer component. Visual Composer is a tool within NetWeaver for creating applications and user interfaces. The vulnerability was discovered by ReliaQuest, which initially observed its exploitation in the wild.

On April 24, 2025, watchTowr published technical details and a proof-of-concept (PoC) exploit for a critical vulnerability in Commvault Command Center, CVE-2025-34028, which had been disclosed earlier in April. Commvault Command Center is a web-based interface used to manage data protection, backup, and recovery operations across enterprise environments.

Imagine a scenario where an employee receives an email from a colleague, asking for login credentials to a valuable application within their organization. The recipient, perhaps busy with other tasks or not fully paying attention, quickly replies with the needed credentials. However, the sender was not actually a colleague, but a threat actor posing as a colleague. As a result, the now-compromised credentials enable the threat actor to launch a subsequent attack on the organization.

On April 16, 2025, fixes were released for a maximum severity vulnerability in Erlang/OTP SSH, CVE-2025-32433. Erlang/OTP SSH is a library within the Erlang/OTP platform, typically used in telecommunications, messaging, IoT, and distributed applications. CVE-2025-32433 allows unauthenticated remote threat actors to achieve remote code execution (RCE) in the SSH daemon. The issue arises due to a flaw in SSH protocol message handling, which permits the sending of protocol messages before authentication.

On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances. In an updated security advisory for the vulnerability, SonicWall indicated on April 15, 2025 that the vulnerability was being exploited in the wild. The vulnerability was added to CISA’s known exploited vulnerabilities (KEV) catalog the following day.

Threat actors don’t just try to gain access to an organization by targeting a single area of their environment. In today’s complex, connected IT environments, threat actors are utilizing multiple techniques, maneuvering through various parts of an organization’s attack surface, and launching sophisticated attacks across multiple components of the IT environment – from identity to endpoint to the cloud and beyond.

Arctic Wolf has observed an uptick in activity from the Silent Ransom Group, a cybercriminal group first identified in 2020 and notorious for its targeted cyber extortion campaigns driven by financial gain. This week, the group has been targeting the legal industry using “call-back” phishing tactics. The group sends emails impersonating services such as Duolingo or Masterclass, claiming a pending charge and urging recipients to call a phone number to resolve the issue.

On April 3, 2025, Ivanti disclosed a critical zero-day vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This stack-based buffer overflow allows remote unauthenticated threat actors to achieve remote code execution (RCE) and has been exploited in the wild. At the time of writing, exploitation has only been observed in Connect Secure, not Policy Secure or ZTA Gateway.

On March 21, 2025, CrushFTP privately alerted customers to a critical authentication bypass vulnerability, now tracked as CVE-2025-31161. Since the initial disclosure, a proof-of-concept (PoC) exploit has been made publicly available, and the CrushFTP CEO has confirmed observing customer compromises via CVE-2025-31161.

Arctic Wolf is an AI-powered security operations provider, which gives our organization advanced insights into the emerging threats inherent in being an early adopter of the more recent techniques. However, Arctic Wolf is not the only one turning to AI. A third of technology leaders reported that AI was already fully integrated into their products and services. This statistic will grow as major tech companies like Microsoft and Google invest billions of dollars into AI infrastructure..