Barracuda Featured IT News Managed XDR SOC Threat Radar Syndicated

SOC Threat Radar — May 2025

soc threat radar

Word from our Sponsorsoc threat radarIn this edition of the SOC Threat Radar, Barracuda Managed XDR’s security solutions, threat intelligence, and SOC analysts highlight key developments from the past month that organizations should have on their radar, including:

  • A 38% rise in attacks targeting FortiGate Firewall VPN services
  • A 26% rise in attempted data exfiltration
  • A 47% rise in the detection of “packed” malware
  • Security warnings for the CrushFTP and Next.js vulnerabilities

A 38% rise in attacks targeting FortiGate Firewall VPN services

What’s behind this?

SOC threat analysts have seen hundreds of attacks trying to exploit the reported FortiGate Firewall vulnerabilities in the last two months, with threat actors targeting poorly secured VPN tunnels for initial access into organizations.

What is the risk?

The FortiGate bugs allow attackers to bypass authentication to gain full administrative privileges on vulnerable devices. This can enable attackers to change firewall settings, create malicious admin accounts, gain access to internal networks, and more. For the victim, the attack can lead to data breaches, reputational damage, regulatory fines and ransomware attacks, such as the recently published RansomHub SOC case file.

Am I exposed?

  • Organizations may be at risk if they have FortiGate Firewalls in place but have not yet fully updated the software as recommended by Fortinet.
  • Another risk factor is a lack of robust — and consistently enforced — multifactor authentication (MFA) measures, especially on VPN accounts that are accessible externally.
  • A remote or distributed workforce can mean a greater dependence on VPN services, which are a popular target for attackers. The more employees, contractors and other can connect to the network from outside the main security perimeter, the bigger the attack surface for threat actors.

Action to take

  • Keep systems and software updated with the latest security patches.
  • Enforce the use of MFA for VPN access — it makes it harder for attackers to gain access even if they’ve successfully compromised user credentials, for example through a phishing or brute-force attack.
  • Implement geo-fencing or conditional access policies to only permit VPN connections from authorized locations where your organization does business.
  • Install comprehensive, layered defenses with integrated and extended visibility.
  • Barracuda Managed XDR features like threat intelligence, Automated Threat Response, and the integration of wider solutions such as XDR Server Security, XDR Network Security and XDR Cloud Security provide comprehensive protection and can drastically reduce dwell time.

A 26% rise in attempted data exfiltration

What’s behind this?

Over the last month, SOC threat analysts have seen a 26% rise in data exfiltration activities as threat actors increasingly shift their focus from data encryption to simply stealing sensitive or confidential data and extorting victims for money to avoid leaking or selling the information.

What is the risk?

  • The removal of sensitive data can mean the loss of valuable intellectual property and competitive advantage, financial impact, reputational damage, data breaches, regulatory fines and more.
  • Data exfiltration is often implemented using advanced and stealthy measures such as compression, steganography (hiding content in a text, audio, video or image file), tunnelling (using a private channel over a public network) or moving data quietly and slowly to use up minimal bandwidth and look like ordinary traffic. These can make it hard for traditional security tools to spot unauthorized data transfers.
  • Data exfiltration can also be carried out by insiders such as employees or contractors who might have legitimate access to sensitive information.
  • Phishing attacks and social engineering can trick unwary employees into inadvertently supporting data exfiltration by sharing or moving confidential files, for example.
  • Attackers can also use backdoors they’ve installed or exploit vulnerabilities to bypass defenses and exfiltrate data without detection.

Am I exposed?

  • Weak network protection and misconfigured security settings — especially for cloud-based assets — can make it easier for attackers to move information out of the network.
  • No up-to-date inventory of tools and applications can be a risk as well. Attackers often install or leverage legitimate tools to move data through and out of the network. It’s important to know which applications and tools are being used by employees, what they’re using the tools for, and whether there are any anomalies.
  • Unpatched software bugs are a top target for attackers looking to install malicious tools such as backdoors.
  • A lack of security awareness training for employees could mean they’re more likely to fall for phishing scams and to share sensitive or confidential information when asked.

Action to take

  • Implement strict controls to limit access to sensitive data.
  • Set additional controls to monitor and control data transfers in and out of the business.
  • Educate employees on how to spot phishing and protect sensitive data.
  • Segment networks and implement zero-trust security measures to limit the ability of unwanted intruders to get to your most sensitive data.
  • XDR Endpoint Security and XDR Network Security can protect systems by detecting and mitigating anomalous activity associated with attackers trying to move data out of the network.

A 47% rise in the detection of “packed” malware

What’s behind this?

SOC threat analysts have identified a growing use of “packed” malware — malicious code that has been compressed or encrypted to evade detection. The examples seen by SOC analysts were executable or binary files packed with UPX (Ultimate Packer for eXecutables).

What’s the risk?

Although the overall number of detections is relatively low, the SOC threat analysts expect the use of packed malware to increase.

  • This is driven by the widespread availability of automated packing tools that make it easier for even less skilled attackers to create concealed malicious code.
  • Ransomware attacks often involve packed malware to keep the final encryption payload hidden until it is ready to execute.
  • Traditional security tools can struggle to detect packed malware since the malicious code is kept hidden.

Am I exposed?

  • A remote or distributed workforce dependent on VPNs and significant cloud-based assets can increase the number of potentially under-protected, vulnerable access points for attackers to target.

Action to take

  • Implement advanced endpoint protection such as Barracuda Managed XDR Cloud Security.
  • Keep systems and software updated with the latest security patches.
  • Implement MFA for VPN access — it makes it harder for attackers to gain access even if they’ve successfully compromised user credentials, for example through a phishing or brute-force attack.
  • Continuously check for and correct misconfigurations in cloud service settings.
  • Use network segmentation to limit access to sensitive areas of the network.
  • Implement comprehensive, layered defenses with integrated and extended visibility.

Other current threat activity to be aware of

Critical CrushFTP vulnerability

CrushFTP serves as a multi-platform file transfer server designed for home users and organizations. In April, researchers reported a critical vulnerability that enables attackers to bypass authentication and access the file transfer server without credentials. This access allows them to manipulate files, exfiltrate data, and disrupt services. Before widespread patches were released for the vulnerability, researchers published a proof-of-concept exploit. Threat actors quickly pounced on the opportunity, and SOC threat analysts and others have seen the vulnerability exploited in the wild by attackers.

Action to take

Update CrushFTP immediately to a patched version, and check your CrushFTP set up, including passwords, user permissions and server access rights.

For more information

Barracuda Cybersecurity Threat Advisory: Critical CrushFTP vulnerability

Critical Next.js vulnerability

Next.js a framework to build fast, user-friendly web applications and websites. The newly reported critical vulnerability allows attackers to bypass authorization checks in Next.js’s “middleware” — code that controls access to certain parts of an application. Successful exploitation of the bug gives attackers access to restricted areas of a web application without proper permissions, enabling them to manipulate data, change configurations or compromise the integrity of the application.

Action to take

Update Next.js and all its dependencies to the latest version, and implement robust access and authentication controls.

For more information

Barracuda Cybersecurity Threat Advisory: Critical Next.js vulnerability

How Barracuda Managed XDR can help your organization

Barracuda Managed XDR delivers advanced protection against the threats identified in this report by combining cutting-edge technology with expert SOC oversight. With real-time threat intelligence, automated responses, and a 24/7/365 SOC team, Barracuda Managed XDR ensures comprehensive, proactive protection across your network, cloud, email, servers and endpoints, giving you the confidence to stay ahead of evolving threats.

For further information on how we can help, please get in touch with Barracuda Managed XDR.

This article was originally published at Barracuda Blog.

Photo: fizkes / Shutterstock

This post originally appeared on Smarter MSP.

Leave a Reply

Your email address will not be published. Required fields are marked *