Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious update activity across client environments.
Apr 18 - 3 Min Read
Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.
Apr 14 - 9 Min Read
Beazley Security has seen attackers disabling EDR solutions leveraging Windows Defender Access Control Policies in the wild. 🫨
Mar 6 - 3 Min Read
Threat Actor abusing free Cloudflare Argo Tunnels for C2 contained by Beazley Security MDR.
Nov 13 - 9 Min Read
Fog ransomware is a relatively new ransomware family first reported in June 2024, targeting mainly the education sector. Most of the victim organizations are in the education sector with majority of them being located in the United States.
Oct 5 - 3 Min Read
More research coming soon, in the mean time, check out our advisories
On January 12th, 2025, Microsoft published an advisory regarding a critical vulnerability in their Remote Desktop Services product. The vulnerability is due to a race condition that can lead to memory corruption. If successfully exploited, an attacker can achieve remote code execution (RCE) on a victim server.
May 21 - 3 Min Read
On April 24, 2025, software company SAP published an advisory regarding a critical vulnerability embedded within a component of their NetWeaver product (CVE-2025-31324). On May 15, 2025, CISA added a related, critical SAP NetWeaver deserialization vulnerability (CVE-2025-42999) to its KEV list.
May 20 - 4 Min Read
On May 13th, Fortinet published an advisory regarding a critical buffer overflow vulnerability identified as CVE-2025-32756 affecting FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera devices. If exploited successfully, the vulnerability could allow unauthenticated attackers to execute arbitrary code or commands via malicious HTTP cookies.
May 15 - 6 Min Read
On May 1st, watchTowr Labs published an article detailing new information on two previously reported critical vulnerabilities in SonicWall SMA: CVE-2024-38475 and CVE-2023-44221. These vulnerabilities are an arbitrary file read and a command injection, and successful combined exploitation of them would grant a threat actor remote code execution (RCE) on a target device. Both vulnerabilities were added to the CISA KEV on the same day, and Beazley Security is aware of active “In the Wild” exploitation of these vulnerabilities.
May 1 - 10 Min Read
On or about April 3rd, 2025 a critical deserialization vulnerability in Gladinet’s CentreStack and Triofox platforms was publicly released as CVE-2025-30406. The vulnerability arises from the use of hardcoded machineKey values in both their underlying Internet Information Services (IIS) configuration files.
Apr 17 - 4 Min Read