Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Arctic Wolf

The Pack Looks Back: A 2024 Year in Review

It’s the holiday season, and as we close out the year, I’ve never been more confident in the people and mission that fuel Arctic Wolf. A year ago, we set a goal to be even bolder in our commitment to define the security operations industry, while maintaining the qualities that make us great: our community, our perseverance, and our willingness to go above and beyond to delight our customers.

December 2024 Uptick in Social Engineering Campaign Deploying Black Basta Ransomware

Since December 16, 2024, Arctic Wolf has observed increased activity in a social engineering campaign associated with Black Basta ransomware. In this campaign, threat actors were observed using Microsoft Quick Assist and Teams to impersonate IT personnel and engage in malicious activities upon contacting victims. This is a continuation of the Black Basta campaign we reported on in a security bulletin sent in June 2024.

CVE-2024-53677: Exploitation Attempts of Critical Apache Struts RCE Vulnerability Following PoC Release

On December 15, 2024, reports emerged that threat actors have begun attempting to exploit a recently disclosed critical vulnerability in Apache Struts (CVE-2024-53677) shortly after the publication of a Proof-of-Concept (PoC) exploit. Apache Struts is a widely used open-source web application framework for developing Java-based applications.

Arctic Wolf Observes Targeting of Publicly Exposed Fortinet Firewall Management Interfaces

Since early December 2024, Arctic Wolf has been monitoring threat activity involving the malicious use of management interfaces on FortiGate firewall devices on the public internet. While our investigation into this activity is ongoing and the scope is yet to be fully determined, organizations running these products should ensure that they are adhering to security best practices for management access of firewall devices.

CVE-2024-12356: Critical Severity Command Injection Vulnerability in BeyondTrust Remote Support (RS) & Privileged Remote Access (PRA)

On December 16, 2024, BeyondTrust published a security advisory outlining a vulnerability impacting their Remote Support (RS) and Privileged Remote Access (PRA) software. The flaw, CVE-2024-12356, is a critical severity command injection vulnerability. If successfully exploited it can allow an unauthenticated remote threat actor to execute underlying operating system commands within the context of the site user.

Advancing the Arctic Wolf Aurora Platform with Cylance's Endpoint Security Suite

Arctic Wolf has taken a decisive step forward in our mission to end cyber risk by acquiring Cylance, a pioneer of AI-based endpoint protection. With this acquisition, Arctic Wolf ushers a new era of simplicity and automation to the endpoint security market that will deliver the security outcomes endpoint security customers have been struggling to achieve for years.

Understanding Shadow IT in the Age of AI

With the emergence of artificial intelligence (AI), there has been a flurry of new terms to describe an increasing variety of new problems. Some of those problems have been around for decades but are now more difficult to manage due to the versatility of AI-based tools and applications. One of those ongoing challenges is shadow IT with a new class of problems classified as shadow AI.

Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software

In December 2024, Arctic Wolf Labs observed a mass exploitation campaign involving Cleo Managed File Transfer (MFT) products for initial access. The execution chain involved an obfuscated PowerShell stager, a Java loader, and ultimately a Java-based backdoor, which we will refer to as Cleopatra. In this article we will provide insight into the execution chain in this campaign, obfuscated malicious payloads deployed, and surrounding threat intelligence context around these activities.

Cleo Releases Patches for Cleo MFT Zero-day Vulnerability

On December 11, 2024, Cleo released patches addressing the zero-day vulnerability recently observed in attacks targeting Cleo Managed File Transfer (MFT) products. This vulnerability allowed unauthenticated threat actors to import and execute arbitrary shell commands on Windows and Linux on affected devices by exploiting default settings of the Autorun directory. The fix is included in version 5.8.0.24, and is now available for Cleo Harmony, VLTrader, and Lexicom.