Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The world is going cashless. The Federal Reserve reported that cash was used in just 16% of all U.S. transactions in 2024. And that number is expected to continue to decline. The widespread use of credit and debit cards, plus the rise of digital wallets and contactless payments, have reshaped the financial landscape, increasing flexibility as well as financial protection. However, it’s also increased the levels of fraud.

Cyber attacks aren’t a question of if, but when. Yet for many midmarket and small enterprises, the tools and models to prepare for these threats have long been out of reach — often too complex, expensive, or ineffective. Traditional incident response (IR) retainers, designed for a different era, have only added to this challenge by creating financial and operational uncertainty when organizations need clarity the most.

On July 23, 2025, Mitel released fixes for a critical authentication bypass vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE, a communication platform used for enterprise voice and collaboration services. The vulnerability allows unauthenticated remote threat actors to gain unauthorized access to publicly exposed Mitel voice systems and access user or administrator accounts due to improper access controls.

The Arctic Wolf Labs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems.

On July 19, 2025, Microsoft disclosed active exploitation of a zero-day vulnerability (CVE-2025-53770) affecting on-premises SharePoint Server instances. Originally, no patch was available for this vulnerability, but fixes were released late on the evening of July 20. CVE-2025-53770 is caused by the deserialization of untrusted data, allowing unauthenticated threat actors to execute code remotely over the network.

In late June 2025, Arctic Wolf issued a security bulletin addressing a critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway that Citrix disclosed, tracked as CVE-2025-5777. This vulnerability affects NetScaler devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

A financially-motivated threat actor, active since early 2021, has been targeting Mexican organizations with custom packaged installers that deliver a modified version of AllaKore RAT. Arctic Wolf documented 2022 and 2023 campaign samples from this unidentified threat actor in a previous report. We are now referring to this group as Greedy Sponge, due to its financial focus and prior use of a popular “SpongeBob” meme on its C2.

Despite growing investments and advances in cybersecurity, incidents and data breaches continue to increase year over year. From the continuous uptick of vulnerabilities to the rapidly expanding human attack surface, it’s clear that as new risk points appear, threat actors are right there, ready to take action.

Since at least February 2025, Arctic Wolf has observed Interlock Remote Access Trojan (RAT) being deployed via social engineering techniques. Recently, The DFIR Report published a technical analysis of the Interlock RAT being delivered via a social engineering technique dubbed “FileFix.” The name FileFix is derived from its similarity to the previously documented ClickFix technique using fake CAPTCHA pages.

Arctic Wolf has recently observed a widespread phishing campaign targeting multiple organizations by abusing Microsoft 365’s Direct Send feature—a feature designed for internal email delivery without requiring authentication. Threat actors can identify valid domains and recipients, then send spoofed emails that appear to originate from internal domains—often impersonating the user themself—without needing credentials or access to the tenant.

Organizational perimeters have transformed. From IoT devices and cloud infrastructure to APIs and microservices, today’s perimeters bear little resemblance to those of even the recent past — and one result of these transformations are organizations’ vastly expanded attack surfaces. Additionally, the adoption of hybrid work has imposed new requirements and introduced new challenges that influence perimeter architecture and tooling.

Arctic Wolf Customer, Proof-of-concept exploit code is now available for a high-severity arbitrary file write vulnerability in Git, which poses a risk to developers who regularly work with third-party code. If Git is used in your environment, we recommend reviewing this security bulletin and taking immediate steps to mitigate the risk.

On July 8, 2025, Fortinet released fixes for a critical vulnerability in FortiWeb that could allow an unauthenticated threat actor to execute SQL commands via crafted HTTP or HTTPS requests, tracked as CVE-2025-25257. The flaw lies in the Graphical User Interface (GUI) component and stems from improper neutralization of special elements used in SQL statements. The vulnerability was discovered by a security researcher and responsibly disclosed to Fortinet.

On July 10, 2025, a technical article was published by Huntress revealing that a maximum severity remote code execution vulnerability in Wing FTP Server, CVE-2025-47812, had been actively exploited by threat actors as early as July 1, 2025. Details of the vulnerability had originally been published on June 30, 2025, providing a comprehensive breakdown of the flaw and how to exploit it.

Looking back at the early 2024 data breach at Change Healthcare — a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system — one key detail stands out: Initial access into the healthcare system’s network was much easier due to a lack of multi-factor authentication (MFA).

While it’s easy to look at the modern threat landscape as a cat-and-mouse game between sophisticated threat actors utilizing high-tech methods to hack their way into valuable systems, the reality can be far less dramatic, albeit equally as precarious.

On July 2, 2025, Cisco released a security advisory detailing a maximum severity vulnerability (CVE-2025-20309) in Cisco Unified Communications Manager and Unified Communications Manager SME Engineering Special, caused by hard-coded root SSH credentials that cannot be changed or removed.

Recent escalations involving the U.S. and Iran highlight an important reality: geopolitical tensions frequently extend into cyberspace. Cyber threat actors affiliated with or sympathetic to Iran are intensifying their efforts, increasing risks not only for U.S.-based organizations but also for companies across allied nations, particularly those with diplomatic, military, or critical infrastructure ties. Reflecting this elevated threat landscape, the U.S.

Since early June 2025, Arctic Wolf has observed a search engine optimization (SEO) poisoning and malvertising campaign promoting malicious websites hosting trojanized versions of legitimate IT tools such as PuTTY and WinSCP.

Arctic Wolf has recently observed a campaign targeting the legal industry using a combination of brute-force and spearphishing techniques. Threat actors initially attempted to brute-force multiple user accounts. After those efforts were unsuccessful, they pivoted to spearphishing by sending spoofed emails that appeared to originate from internal users. These emails used the subject line “Reminder-Your-to-do-list” and contained a malicious.HTM attachment.