{"uuid": "9a35bcae-d831-491f-945c-1fbd54769c38", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf", "description": "Key Takeaways\n-------------\n\n* Arctic Wolf observed a recent campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed on the public internet.\n* The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.\n* While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable.\n* Organizations should urgently disable firewall management access on public interfaces as soon as possible.\n\nSummary\n-------\n\nIn early December, Arctic Wolf Labs [began observing a campaign](https://arcticwolf.com/resources/blog/arctic-wolf-observes-targeting-of-publicly-exposed-fortinet-firewall-management-interfaces/) involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync.\n\nWhile the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected.\n\nWe are sharing details of this campaign to help organizations defend against this threat. Please note that our investigation of this campaign is ongoing, and we may add further detail to this article as we uncover additional information.\n\n**Update:** On January 14, 2025, Fortinet [published an advisory](https://www.fortiguard.com/psirt/FG-IR-24-535) confirming the existence of an authentication bypass vulnerability affecting FortiOS and FortiProxy products, which was designated as CVE-2024-55591. The advisory also confirmed key details observed in the campaign described here. See our [security bulletin](https://arcticwolf.com/resources/blog/cve-2024-55591/) for updated remediation guidance.\n\nBackground\n----------\n\nFortiGate next-generation firewall (NGFW) products have a feature that allow administrators to access the command-line interface through the web-based management interface. This comes as a standard feature on most NGFW devices and is a convenient feature for administrators.\n\n\n\nThe CLI Console feature in the FortiGate web interface ([source](https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/639044/cli-script-action))\n\nAccording to the [FortiGate Knowledge Base](https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-check-filter-configuration-changes-logs/ta-p/269484), when changes are made via the web-based CLI console, the user interface is logged as jsconsole along with the source IP address of whomever made the changes. In contrast, changes made via ssh would be listed as ssh for the user interface instead.\n\nBehind the scenes, there are proprietary command-line tools that FortiGate software uses to perform administrative functions. One binary in particular, newcli, is [described](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Short-list-of-processes-on-the-FortiGate/ta-p/190775) as managing the creation and termination of CLI connections.\n\nIn a [2023 report](https://www.synacktiv.com/sites/default/files/2023-01/fortimanager_multiple_vulnerabilities_2021_published_lpe.pdf) by Synacktiv about CVE-2022-26118, a privilege escalation vulnerability, a proof-of-concept bash session is provided that demonstrates how threat actors could invoke the newcli utility to add backdoor users. Notably, the \u2013userfrom switch specifies a value of jsconsole(127.0.0.1), suggesting that a loopback interface can be arbitrarily specified as the source IP address for initiation of a CLI console.\n\n```\nbash$ cat add_backdoor_user.txt\nconfig system admin user\n edit backdoor\n set password backdoor\n set profileid Super_User\n set adom \"all_adoms\"\n end\nexit\nbash$ cat add_backdoor_user.txt | /bin/newcli system system \\\n --userfrom=\"jsconsole(127.0.0.1)\" \\\n --adminprof=Super_User --adom=root --from_sid=0\n```\n\n\nAlthough we do not have direct confirmation that such commands are utilized in the present campaign, the observed activities follow a similar pattern in the way they invoke jsconsole.\n\nWhat We Know About the Campaign\n-------------------------------\n\nAt a high level, the present campaign can be thought of in 4 distinct phases:\n\n1. Vulnerability scanning (November 16, 2024 to November 23, 2024)\n2. Reconnaissance (November 22, 2024 to November 27, 2024)\n3. SSL VPN configuration (December 4, 2024 to December 7, 2024)\n4. Lateral Movement (December 16, 2024 to December 27, 2024)\n\nThese phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organizations, and the activities that were taken by threat actors upon gaining access. Note, however, that our portrayal of these phases may be incomplete or oversimplified given that our visibility is likely limited to a narrow subset of the overall activity in the campaign.\n\nWhat stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of the jsconsole interface from a handful of unusual IP addresses. Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board.\n\nThe firmware versions of devices that were affected ranged between 7.0.14 and 7.0.16, which were released on February 2024 and October 2024 respectively.\n\n### Phase 1: Vulnerability scanning\n\nOne of the most notable indicators of compromise in this campaign is the use of jsconsole sessions with connections to and from unusual IP addresses, such as loopback addresses and popular DNS resolvers including Google Public DNS and Cloudflare. These combinations of source and destination IP addresses are not typical for jsconsole activity, making them an ideal target for threat hunting. These values appear to be spoofed, since jsconsole traffic to and from these IP addresses would not be possible without the threat actor having control over them.\n\n\n|Source IP Address|Destination IP address|\n|-----------------|----------------------|\n|127.0.0.1 |127.0.0.1 |\n|8.8.8.8 |8.8.4.4 |\n|1.1.1.1 |2.2.2.2 |\n\n\nAnomalous source and destination IP addresses for jsconsole administrative logins\n\nNumerous successful admin login events from jsconsole were observed originating from the anomalous IP addresses, all using the admin account. Interestingly, jsconsole login events using loopback IP addresses seemed to occur more frequently than events with the other two pairs of addresses using DNS resolvers, especially during the first phase of the campaign. In contrast, beyond the first phase of the campaign, events with the DNS resolver IP addresses were more commonly associated with configuration changes than those with the loopback addresses.\n\n```\ndate=2024-12-07 time=REDACTED devname=\"REDACTED\" devid=\"REDACTED\" eventtime=REDACTED tz=\"-0500\" logid=\"0100032001\" type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Admin login successful\" sn=\"REDACTED\" user=\"admin\" ui=\"jsconsole\" method=\"jsconsole\" srcip=127.0.0.1 dstip=127.0.0.1 action=\"login\" status=\"success\" reason=\"none\" profile=\"super_admin\" msg=\"Administrator admin logged in successfully from jsconsole\"\n```\n\n\nAdditionally, there was corresponding traffic to and from loopback interfaces on TCP port 8023, which [according to the Fortinet Knowledge Base](https://community.fortinet.com/t5/Customer-Service/Technical-Tip-FortiGate-inside-socket-for-Web-CLI/ta-p/219844) is the web CLI port. Loopback traffic was also observed on TCP port 9980, which is [used internally](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Logs-regarding-port-9980-and-local-traffic/ta-p/222791) by the web-based management interface for security fabric and REST API queries on FortiGate devices. The timestamps of traffic on ports 8023 and 9980 matched jsconsole activity down to the second.\n\n```\ndate=2024-12-07 time=REDACTED devname=\"REDACTED\" devid=\"REDACTED\" eventtime=REDACTED tz=\"-0500\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" srcip=127.0.0.2 srcport=REDACTED srcintf=\"root\" srcintfrole=\"undefined\" dstip=127.0.0.1 dstport=8023 dstintf=\"root\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=REDACTED proto=6 action=\"close\" policyid=0 service=\"tcp/8023\" trandisp=\"noop\" app=\"tcp/8023\" duration=1 sentbyte=879 rcvdbyte=778 sentpkt=14 rcvdpkt=14 appcat=\"unscanned\"\n```\n\n\nThe first occurrences of this type of jsconsole activity were observed in the wild as early as November 16, 2024 across victim organizations in a variety of sectors. It is important to note, however, that although malicious logins were observed this early, the first signs of impactful configuration changes from these console sessions only began to ramp up en masse between December 4, 2024 and December 7, 2024.\n\n### Web management HTTPS activity\n\nCorrelated closely in time with the jsconsole activity, we observed HTTPS web management traffic from a group of VPS hosting providers\u2019 IP addresses. Some of these IP addresses would later proceed to establish SSL VPN tunnels to the same compromised firewalls. These HTTPS events took place tens of seconds before the jsconsole activity. There are several noteworthy aspects to this traffic:\n\n1. Action was client-rst, which means that the client side of the TCP session has sent an RST packet to terminate the connection.\n2. The amount of data sent to the destination firewall was over a megabyte in size.\n3. The duration of the session was over 100 seconds.\n4. The app was \u201cWeb Management(HTTPS)\u201d. In the example below, the HTTPS management port was 8443 but this is set to 443 by default. However, it can be set arbitrarily to another value and is often different depending on the environment.\n5. The traffic originated from a WAN interface.\n\n```\ndate=2024-12-15 time=REDACTED devname=\"REDACTED\" devid=\"REDACTED\" eventtime=REDACTED tz=\"-0500\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" srcip=157.245.3.251 srcport=56010 srcintf=\"wan1\" srcintfrole=\"wan\" dstip=REDACTED dstport=8443 dstintf=\"root\" dstintfrole=\"undefined\" srccountry=\"United States\" dstcountry=\"United States\" sessionid=REDACTED proto=6 action=\"client-rst\" policyid=0 policytype=\"local-in-policy\" service=\"HTTPSMGMT\" trandisp=\"noop\" app=\"Web Management(HTTPS)\" duration=570 sentbyte=1315775 rcvdbyte=2084318 sentpkt=18225 rcvdpkt=18092 appcat=\"unscanned\"\n```\n\n\nWhile the technical details of the suspected vulnerability are not yet known, the characteristics outlined here for malicious web management traffic provide a glimpse into the nature of a potential exploit.\n\n### Indications of opportunistic exploitation\n\nTypically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning between November 16, 2024 and the end of December 2024. Most of these sessions were short-lived, with corresponding logout events within a second or less. In some instances, multiple login or logout events occurred within the same second, with up to 4 events occurring per second.\n\nThe victimology in this campaign was not limited to any specific sectors or organization sizes. The diversity of victim organization profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted.\n\n### Phase 2: Reconnaissance\n\nIn the first phase of the campaign, although there were extensive login and logout events that appeared to be automated, configuration changes were nonexistent. Then, beginning on November 22, 2024, the first unauthorized configuration changes were made:\n\n```\ndate=2024-11-22 time=REDACTED devname=\"REDACTED\" devid=\"REDACTED\" eventtime=REDACTED tz=\"-0500\" logid=\"0100044546\" type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Attribute configured\" user=\"admin\" ui=\"jsconsole(1.1.1.1)\" action=\"Edit\" cfgtid=REDACTED cfgpath=\"system.console\" cfgattr=\"output[more->standard]\" msg=\"Edit system.console \"\n\ndate=2024-11-22 time=REDACTED devname=\"REDACTED\" devid=\"REDACTED\" eventtime=REDACTED tz=\"-0500\" logid=\"0100044546\" type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Attribute configured\" user=\"admin\" ui=\"jsconsole(1.1.1.1)\" action=\"Edit\" cfgtid=REDACTED cfgpath=\"system.console\" cfgattr=\"output[standard->more]\" msg=\"Edit system.console \"\n```\n\n\nSimilar configuration changes were made across a handful of victim organizations until November 27, 2024. The [output setting](https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-show-more-command-output-without-pressing/ta-p/193674) referenced in these logs is used to toggle whether user interaction is needed to advance to the next page of console output. The \u201cmore\u201d setting means that interaction is required to advance long output and \u201cstandard\u201d prints out all output at once. In all intrusions, this setting was first set to \u201cstandard\u201d and then set to \u201cmore\u201d, usually within 10-30 seconds of each other.\n\nThe purpose of these changes is not known, but it may hint at threat actors\u2019 preferred mode of interacting with the web console. It is also possible that this was a simple means of verifying that access was successfully obtained to commit changes on exploited firewalls.\n\n### Phase 3: SSL VPN configuration\n\nIn the third phase of the campaign, beginning on December 4, 2024, threat actors began to make more substantial changes on compromised devices, with the goal of gaining SSL VPN access. There were several distinct approaches for how to achieve this.\n\nIn some intrusions, new super admin accounts were created, adhering to an alphanumeric naming convention consisting of 5 characters. In other intrusions, the naming convention was slightly different, with 6 randomized alphanumeric characters.\n\n```\ndate=2024-12 time=REDACTED devname=\"REDACTED\" devid=\"REDACTED\" eventtime=1733554955692189638 tz=\"-0500\" logid=\"0100044547\" type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Object attribute configured\" user=\"admin\" ui=\"jsconsole(127.0.0.1)\" action=\"Add\" cfgtid=REDACTED cfgpath=\"system.admin\" cfgobj=\"Dbr3W\" cfgattr=\"password[*]accprofile[super_admin]vdom[root]\" msg=\"Add system.admin Dbr3W\"\n```\n\n\nThe newly created super admin accounts were then used to create several local user accounts (up to 6 per device) with similar naming conventions, which were ultimately added to existing groups that had been previously created by victim organizations for SSL VPN access.\n\nIn other intrusions, existing accounts were hijacked by threat actors to gain SSL VPN access. As with the previous scenario, these accounts were also added to existing groups with VPN access. This included use of the guest account, which is [created by default](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Purpose-and-Function-of-the-Default-Guest-User/ta-p/272456) on FortiGate devices. The password on the guest account was reset to facilitate this process.\n\nThreat actors were also observed creating new SSL VPN portals which they added user accounts to directly. In addition, some threat actors assigned specific ports to their VPN portal configurations, changing them between different sessions. These ports included 4433, 59449, and 59450, among others.\n\nUpon making the necessary changes, threat actors established SSL VPN tunnels with the affected devices. All of the client IP addresses of the tunnels originated from a handful of VPS hosting providers.\n\nIn most instances where firewall configuration changes were made, the ui field showed jsconsole with loopback or public DNS resolver IP addresses in parentheses (e.g., jsconsole(8.8.8.8)). However, there were several intrusions where the same field referenced other remote IP addresses, suggesting that the threat actor did not attempt to spoof their actual IP addresses in those instances. These were some of the same client IP addresses of the malicious tunnels that were later established. There were also instances where the https ui was used instead of jsconsole, and newly created accounts were used instead of the admin account for those sessions.\n\n### Phase 4: Lateral Movement\n\nIn the final phase observed in this campaign, upon successfully establishing SSL VPN access in victim organization environments, threat actors sought to extract credentials for lateral movement.\n\nDC sync was used with previously obtained domain admin credentials. The threat actors used a workstation hostname of kali. At this point, the threat actors were removed from affected environments before they could proceed any further.\n\nHow Arctic Wolf Protects Its Customers\n--------------------------------------\n\nArctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers.\n\nArctic Wolf Labs has leveraged threat intelligence around this campaign to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.\n\nRemediation\n-----------\n\nIn December 2024, Arctic Wolf sent out a [security bulletin](https://arcticwolf.com/resources/blog/arctic-wolf-observes-targeting-of-publicly-exposed-fortinet-firewall-management-interfaces/) warning of the activity observed in this campaign. See our [follow-up security bulletin](https://arcticwolf.com/resources/blog/cve-2024-55591/) published on January 14, 2025 for additional remediation guidance, including version details.\n\nIn addition to locking down management interfaces, as a security best practice, regularly upgrading the firmware on firewall devices to the latest available version is advised to protect against known security issues.\n\nConclusion\n----------\n\nIn this campaign, we observed opportunistic exploitation of a handful of victim organizations. While the final objectives of the threat actor are not known, the technical details we\u2019ve provided should help defenders protect against the early stages of this campaign.\n\nAs documented in this campaign and in [several](https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/) [others](https://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/), management interfaces should not be exposed on the public internet, regardless of the product specifics. Instead, access to management interfaces should be limited to trusted internal users. When such interfaces are left open on the public internet, it expands the attack surface available to threat actors, opening up the potential to identify vulnerabilities that expose features that are meant to be limited to trusted administrators.\n\nFrom a security best practices standpoint, these types of misconfigurations should be addressed promptly to protect against not only this vulnerability, but an entire class of other potential vulnerabilities in the future.\n\nNote: On December 12, 2024, Arctic Wolf Labs notified Fortinet about the activity observed in this campaign. Confirmation was received by FortiGuard Labs PSIRT on December 17, 2024 that the activity was known and under investigation.\n\nAcknowledgements\n----------------\n\nArctic Wolf Labs would like to acknowledge members of the Security Services team for their role in identifying this campaign. We thank Mo Sharif who identified the campaign and associated TTPs, as well as Ruben Raymundo and Trevor Daher who helped investigate the intrusions.\n\nAppendix\n--------\n\n### Tactics, Techniques, and Procedures (TTPs)\n\n\n\n* Tactic: Initial Access\n * Technique: T1190: Exploit Public-Facing Application\n * Sub-techniques or Tools: \u2022 Exploited public-facing FortiGate firewall management interfaces\n* Tactic: Persistence\n * Technique: T1136.001: Create Account: Local Account\n * Sub-techniques or Tools: \u2022 Created multiple local admin accounts\n* Tactic: T1133: External Remote Services\n * Technique: \u2022 Modified SSL VPN configurations\n * Sub-techniques or Tools: \n* Tactic: T1078.001: Valid Accounts: Default Accounts\n * Technique: \u2022 Hijacked default guest account to obtain SSL VPN access\n * Sub-techniques or Tools: \n* Tactic: Credential Access\n * Technique: T1003.006: OS Credential Dumping: DCSync\n * Sub-techniques or Tools: \u2022 The threat actors used a domain admin account to conduct a DCSync attack\n\n\n### Vulnerabilities Exploited\n\n\n\n* Vulnerability: No CVE registered\n * Use: The activity observed in this article has not been assigned a CVE as of publication.\n\n\n### Indicators of Compromise (IoCs)\n\n\n\n* Indicator: 23.27.140[.]65\n * Type: IPv4 Address\n * Description: \u2022 AS149440 \u2013 Evoxt Enterprise\u2022 SSL VPN client IP address\u2022 Web management interface client\n* Indicator: 66.135.27[.]178\n * Type: IPv4 Address\n * Description: \u2022 AS20473 \u2013 The Constant Company Llc\u2022 SSL VPN client IP address\u2022 Web management interface client\n* Indicator: 157.245.3[.]251\n * Type: IPv4 Address\n * Description: \u2022 AS14061 \u2013 Digitalocean Llc\u2022 SSL VPN client IP address\u2022 Web management interface client\n* Indicator: 45.55.158[.]47\n * Type: IPv4 Address\n * Description: \u2022 AS14061 \u2013 Digitalocean Llc\u2022 SSL VPN client IP address\u2022 Web management interface client\n* Indicator: 167.71.245[.]10\n * Type: IPv4 Address\n * Description: \u2022 AS14061 \u2013 Digitalocean Llc\u2022 SSL VPN client IP address\u2022 Web management interface client\n* Indicator: 137.184.65[.]71\n * Type: IPv4 Address\n * Description: \u2022 AS14061 \u2013 Digitalocean Llc\u2022 SSL VPN client IP address\n* Indicator: 155.133.4[.]175\n * Type: IPv4 Address\n * Description: \u2022 AS62240 \u2013 Clouvider Limited\u2022 SSL VPN client IP address\u2022 Web management interface client\n* Indicator: 31.192.107[.]165\n * Type: IPv4 Address\n * Description: \u2022 AS50867 \u2013 Hostkey B.V.\u2022 SSL VPN client IP address\n* Indicator: 37.19.196[.]65\n * Type: IPv4 Address\n * Description: \u2022 AS212238 \u2013 Datacamp Limited\u2022 Web management interface client\n* Indicator: 64.190.113[.]25\n * Type: IPv4 Address\n * Description: \u2022 AS399629 \u2013 BL Networks\u2022 Web management interface client\n\n\nDetection Opportunities\n-----------------------\n\nAs part of our Managed Detection and Response service, Arctic Wolf has detections in place for techniques described in this blog article, in addition to other techniques employed by threat actors described here.\n\n### Firewall\n\nThis campaign was identified early because external monitoring was in place for unexpected firewall configuration changes.\n\nAs described in this article, jsconsole activity was observed from a handful of anomalous IP addresses that appeared to be spoofed. Monitoring for jsconsole activity from commonly spoofed IP addresses might be helpful in responding early to such attacks. The weakness of this approach is that threat actors may choose to spoof jsconsole activity using different IP addresses in the future.\n\nAdditionally, although details of the vulnerability in this article are not yet available, monitoring for web management traffic on the WAN interface over 1MB originating from VPS hosting IP addresses may be a worthwhile means of detecting exploitation. This detection criteria could be further narrowed down by setting a minimum session duration of 100 seconds. Please note, however, that a better long-term approach to this detection would be to remove web management from the public internet entirely.\n\nFinally, given that malicious SSL VPN logins were known to take place with client IP addresses originating from VPS hosting providers, monitoring for unexpected logins from such providers would also potentially be worth exploring.\n\nAdditional Resources\n--------------------\n\nGet actionable insights and access to the security operations expertise of one of the largest security operations centers (SOCs) in the world in [Arctic Wolf\u2019s 2024 Security Operations Report](https://arcticwolf.com/resource/security-operations-report/arctic-wolf-security-operations-report-2024).\n\nLearn what\u2019s new, what\u2019s changed, and what\u2019s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the [Arctic Wolf State of Cybersecurity: 2024 Trends Report](https://arcticwolf.com/resource/aw/the-state-of-cybersecurity-2024-trends-report?lb-mode=overlay).\n\nAbout Arctic Wolf Labs\n----------------------\n\n[Arctic Wolf Labs](https://arcticwolf.com/labs/) is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf\u2019s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf\u2019s customer base, but the security community at large.\n\nAuthors\n-------\n\n### Stefan Hostetler\n\nStefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.\n\n### Julian Tuin\n\nJulian is a Senior Threat Intelligence Researcher at Arctic Wolf Labs with more than 6 years of industry experience. He has experience in identifying and tracking campaigns for new and emerging threats.\n\n### Trevor Daher\n\nTrevor Daher is a Technical Lead within Arctic Wolf\u2019s Security Services group supporting the Managed Detection and Response (MDR) service.\n\n### Jon Grimm\n\nJon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing actionable intelligence that enhances organizational defenses. He has background of 10 years\u2019 experience in several domains of cybersecurity, holds a bachelor\u2019s degree in law enforcement, and holds several industry certifications (CISSP, GCFA, GCTI).\n\n### Alyssa Newbury\n\nAlyssa Newbury is a Threat Intelligence Analyst at Arctic Wolf, with over a decade of experience in tactical threat intelligence and cybersecurity. She has background working for various agencies within the intelligence community, including the FBI and NGA, and focuses primarily on researching and identifying emerging cyber threats and producing impactful finished intelligence products.\n\n### Joe Wedderspoon\n\nJoe Wedderspoon is a Sr. Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 7 years of operational experience in incident response, defensive cyber operations, and researching adversary tradecraft in both the public and private sectors.\n\n### Markus Neis\n\nMarkus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.", "creation_timestamp": "2025-02-11T19:13:09.529978+00:00", "timestamp": "2025-02-12T06:51:28.393225+00:00", "related_vulnerabilities": ["CVE-2024-55591", "CVE-2022-26118", "cve-2024-55591"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}