LevelBlue Acquires Fortra’s Alert Logic MDR Business, Strengthening Position as Global MDR Leader. Learn More

LevelBlue Acquires Fortra’s Alert Logic MDR Business, Strengthening Position as Global MDR Leader. Learn More

Submit RFP
Request a Demo
Services
Cyber Advisory
Managed Cloud Security
Data Security
Managed Detection & Response
Email Security
Managed Network Infrastructure Security
Exposure Management
Security Operations Platforms
Incident Readiness & Response
SpiderLabs Threat Intelligence
View All Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft Security
Unlock the full power of Microsoft Security
Securing the IoT Landscape
Test, monitor and secure network objects
Why LevelBlue
About Us
We reduce cyber risk and build resilience
Awards and Accolades
The most recognized cybersecurity leader
LevelBlue SpiderLabs
Elite global threat experts and intelligence
PGA of America Partnership
Cybersecurity at the championship level
Secure What's Next
Future-proof your organization
LevelBlue Security Operations Platforms
Unprecedented security visibility and control
Security Colony
Cybersecurity threat protection resources
Partners
Microsoft
Unlock the full power of Microsoft Security
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

Threat Intelligence News from LevelBlue SpiderLabs February 2025

Change theme to light
3 Minute Read

February 2025

Latest Threat Intelligence News

Fortinet FortiOS Authentication Bypass CVE-2024-55591

The latest vulnerability in FortiOS is exploited through specially crafted requests and allows attackers to exploit a Node.js WebSocket to escalate privileges to super-admin. The vulnerability is known to be actively exploited before the publication of the vulnerability. A week after the initial disclosure, Watchtowr released a Proof of Concept (PoC) aggravating the severity of the vulnerability.

LevelBlue SpiderLabs has released three correlation rules designed to address this vulnerability. Two of these rules focus on detecting suspicious login activities associated with CVE-2024-55591: 'Fortinet - Suspicious Login from Local Address IP (CVE-2024-55591)' and 'Fortinet - Automated Login-Logout (potential CVE-2024-55591)'. The third rule, 'Fortinet - Admin Added Via the Console', is specifically crafted to identify post-exploitation activity, such as the addition of new administrative accounts.

CVE-2025-23006: Actively Exploited SonicWall Vulnerability

CVE-2025-23006 is a critical deserialization of untrusted data vulnerability in the Appliance Management Console (AMC) and Central Management Console (CMC) of SonicWall SMA1000 devices. Exploitable by unauthenticated remote attackers via specially crafted requests, it allows arbitrary OS command execution under unspecified conditions.

SonicWall's PSIRT and Microsoft Threat Intelligence Center (MSTIC) have reported possible active exploitation of this vulnerability, which has been confirmed by SonicWall. SonicWall SMA products have historically been targeted by ransomware groups.

RaccoonO365: The Latest Blog by LevelBlue SpiderLabs and the SOC

In September 2024, LevelBlue conducted a comprehensive threat hunt targeting artifacts indicative of Phishing-as-a-Service (PhaaS) activity across our monitored customer fleet. During the investigation, the LevelBlue Managed Detection and Response (MDR) Blue Team discovered a new PhaaS kit, now identified as RaccoonO365. The hunt confirmed true-positive compromises of Office 365 accounts, prompting swift customer notifications and guidance on remediation actions.

The initial findings were handed over to the LevelBlue SpiderLabs Threat Intelligence team, which further uncovered additional infrastructure and deconstructed the kit’s JavaScript. This analysis provided critical insights into the features and capabilities of the emerging PhaaS kit. Full details are in the latest version of the "Stories from the SOC" blog.

NEW: LevelBlue Threat Trends Report

We’re pleased to announce publication of the first LevelBlue Threat Trends Report! This biannual publication highlights threat activity observed by LevelBlue during the second half of 2024. Authored by the LevelBlue SOC in collaboration with LevelBlue SpiderLabs, it is a must-have for security practitioners at organizations of all sizes.

Download your copy of the report here!

You can also watch our on-demand webinar to hear our team share key insights from the report.

Dedicated to hunting and eradicating the world's most challenging threats.

SpiderLabs

Tracking, Detection & Hunting Capabilities

The LevelBlue SpiderLabs team updated the following Adversary Trackers to automatically identify and detect malicious infrastructure:

  • SocGholish

  • DarkComet

The team has identified the following malware/threat actors as the most active during the month of January. This month’s malware trends continue to be very similar to previous months, with a main relevant change:

  • Cobalt Strike: The adversary simulation tool has experienced a decline from its usual top 3 position this month, primarily due to two factors: it has been observed in fewer environments, and the number of automatically identified indicators by the Adversary Tracker has decreased.

However, this count of IOCs in the Tracker does not account for the numerous campaigns identified in the wild, which are added to manually created pulses.

Each month, a new blog highlights the versatility of Cobalt Strike in combination with other malware. For instance, this month, The DFIR Report published a blog detailing how Cobalt Strike was used alongside the Rclone exfiltration tool, GhostSOCKS, and SystemBC proxies to ultimately deliver LockBit ransomware.

{f3ce1841-3767-479f-9151-c65ed131192c}_levelblue-labs-january-2025-malware-trends

The LevelBlue trackers have identified almost 2700 new IOCs for the different families it tracks. The busiest trackers during the month of January have been:

{7bc325c6-8304-4017-8488-3094034c1e76}_levelblue-labs-news-february-new-tracker-iocs

 

USM Anywhere Detection Improvements

In December, LevelBlue SpiderLabs added or updated 41 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:

A new rule updating the approach to identify suspicious and potentially malicious files dropped by Office applications.

New rules related to Brute Force Authentication and Password Spraying for Fortinet and Cisco Firepower.

Several rules for Command and Control Communications and Malware detections by Trend Micro.

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

 

LevelBlue SpiderLabs Open Threat Exchange

LevelBlue SpiderLabs Open Threat Exchange (OTX) is among the world’s largest open threat intelligence sharing communities, made up of 450,000 threat researchers from 140 countries globally who publish threat information to the platform daily. LevelBlue SpiderLabs validates, analyzes, and enriches this threat intelligence. Members of OTX benefit from the collective research, can contribute to the community, analyze threats, create public and private threat intelligence sharing groups, and more. You can go here to find out more about the new pulses or to sign up to be part of the community.


New OTX Pulses

The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more.

This includes indicators of compromise, IoCs, that are useful to members. In January, 104 new Pulses were created by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

News Security Research

Latest Intelligence

Phishing with OAuth Redirect
Pwning Malware with Ninjas and Unicorns
How ClickFix Opens the Door to Stealthy StealC Information Stealer

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo