🛡️ ScanFortress Weekly Threat Intelligence Report
📊 Executive Summary
This week's threat landscape reveals a concerning trend: attackers are increasingly targeting the infrastructure and authentication mechanisms that organizations trust most. Multiple critical vulnerabilities in enterprise-grade security appliances—including FortiGate SSL VPN (CVE-2020-12812), WatchGuard Firebox (CVE-2025-14733), and SonicWall Edge Access devices—are under active exploitation, with threat actors bypassing two-factor authentication and executing arbitrary code. The resurgence of older vulnerabilities like the five-year-old FortiGate flaw demonstrates that unpatched systems remain prime targets, regardless of age.
Advanced Persistent Threat (APT) groups continue to evolve their tactics, with Evasive Panda leveraging DNS poisoning and adversary-in-the-middle (AitM) attacks to deliver malware, while new campaigns like WebRAT are exploiting trusted platforms such as GitHub to distribute malicious payloads disguised as security research. The discovery of NtKiller malware—advertised on dark web forums as capable of terminating antivirus and EDR solutions—signals a troubling escalation in defensive evasion capabilities available to cybercriminals.
On a positive note, law enforcement actions including INTERPOL's Operation Sentinel resulted in 574 arrests across Africa and the takedown of the RaccoonO365 phishing-as-a-service operation in Nigeria. However, with over 59,000 Next.js servers compromised in Operation PCPcat and widespread exploitation of network infrastructure vulnerabilities, organizations must prioritize comprehensive security scanning and patch management as we enter 2026.
⚠️ Critical Vulnerabilities & Threats
🔴 FortiGate SSL VPN 2FA Bypass (CVE-2020-12812)
Severity: HIGH (CVSS 5.2) | Status: Actively Exploited
Fortinet has confirmed active exploitation of a five-year-old authentication bypass vulnerability affecting FortiOS SSL VPN deployments. The flaw allows attackers to circumvent two-factor authentication through case-sensitive username manipulation when specific LDAP integration configurations are used. Organizations using FortiGate devices with LDAP authentication should immediately verify their configurations and apply available patches.
ScanFortress Impact: While this is an infrastructure vulnerability, our SSL/TLS certificate validation can help identify misconfigured VPN endpoints and ensure proper certificate implementation.
🔴 Evasive Panda APT DNS Poisoning Campaign
Severity: CRITICAL | Threat Actor: Evasive Panda (Bronze Highland, Daggerfly, StormBamboo)
Kaspersky researchers uncovered a sophisticated two-year campaign (November 2022 - November 2024) by the Evasive Panda APT group utilizing DNS poisoning and adversary-in-the-middle attacks to deliver the MgBot implant. The attack chain involves shellcode encrypted with DPAPI and RC5, demonstrating advanced evasion techniques. The group compromised DNS infrastructure to redirect legitimate traffic to malicious servers.
ScanFortress Impact: Our DNS configuration analysis can detect anomalies in DNS records, including suspicious changes that may indicate compromise or poisoning attempts.
🔴 Operation PCPcat: 59,000+ Next.js Servers Compromised
Severity: CRITICAL | Scale: 59,000+ affected servers
A massive credential-stealing campaign has compromised over 59,000 Next.js servers worldwide by exploiting critical vulnerabilities in the React framework. Attackers harvest sensitive authentication data at industrial scale, with researchers gaining access to the command-and-control infrastructure revealing alarming operational metrics. The campaign specifically targets web applications built with Next.js and React.
ScanFortress Impact: Our common web vulnerabilities detection can identify outdated frameworks and vulnerable configurations that make applications susceptible to these attacks.
🔴 WebRAT Malware Distributed via GitHub
Severity: HIGH | Distribution: Social Engineering via GitHub
A new campaign distributes the WebRAT remote access trojan through GitHub repositories, masquerading as proof-of-concept exploits and critical vulnerability demonstrations to target cybersecurity researchers. The multi-functional RAT and information stealer uses deceptive social engineering tactics involving popular code repositories and video platforms to lure victims into executing malicious code.
ScanFortress Impact: While primarily targeting researchers, compromised websites may be used in the distribution chain. Our security scanning can detect suspicious scripts and malicious code injection.
🟡 Net-SNMP Buffer Overflow (CVE-2025-68615)
Severity: CRITICAL (CVSS 9.0+) | Component: snmptrapd daemon
A critical buffer overflow vulnerability in Net-SNMP's snmptrapd daemon allows remote attackers to crash the service through specially crafted packets, potentially disrupting network monitoring operations across enterprise environments. The vulnerability affects all versions before recent patches and was discovered by security researcher Buddurid working with Trend Micro's Zero Day Initiative.
🔍 Threats Detectable by ScanFortress
Our automated security scanning platform can help identify several vulnerabilities and misconfigurations related to this week's threat intelligence:
🛡️ Protect Your Website Today
ScanFortress provides comprehensive detection for:
- 🔒 DNS Configuration Anomalies: Our DNS analysis can detect suspicious changes or misconfigurations that may indicate DNS poisoning attempts similar to the Evasive Panda APT campaign. Regular monitoring helps identify unauthorized DNS record modifications.
- 🔐 SSL/TLS Certificate Validation: Comprehensive certificate analysis ensures proper implementation and can identify man-in-the-middle attack indicators. Critical for detecting AitM attacks like those used by Evasive Panda.
- 🛡️ Security Headers Verification: Our scanners check for proper implementation of Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, and other critical headers that prevent code injection and clickjacking attacks.
- 🍪 Cookie Security Analysis: Identifies insecure cookie configurations that could lead to session hijacking, particularly relevant given the credential-stealing campaigns like Operation PCPcat.
- ⚠️ Outdated Framework Detection: Our vulnerability scanning can identify outdated or vulnerable versions of web frameworks including React and Next.js, helping prevent exploitation similar to Operation PCPcat.
- 🔍 Malicious Script Detection: Scans for suspicious JavaScript and code injection that could indicate compromise by malware distribution campaigns like WebRAT.
- 📋 Common Web Vulnerability Assessment: Comprehensive scanning for OWASP Top 10 vulnerabilities, misconfigurations, and security weaknesses that attackers exploit in credential-stealing campaigns.
🚀 Don't wait for a breach to discover vulnerabilities!
Run a comprehensive ScanFortress security scan today to identify potential weaknesses before attackers do. Our automated platform provides actionable insights within minutes.
📈 Industry Trends & Analysis
🎯 Targeting Trusted Infrastructure
A clear pattern emerges this week: attackers are systematically targeting the very infrastructure organizations trust to protect them. Vulnerabilities in FortiGate, WatchGuard, and SonicWall devices—all enterprise security appliances—are being actively exploited. This represents a strategic shift where threat actors recognize that compromising security infrastructure provides broader access than targeting individual applications.
🔄 Resurrection of Old Vulnerabilities
The active exploitation of CVE-2020-12812, a five-year-old FortiGate vulnerability, underscores a persistent problem: organizations fail to patch known vulnerabilities, leaving systems exposed long after fixes are available. Attackers maintain databases of older CVEs and systematically scan for unpatched systems, making vulnerability age irrelevant if patches aren't applied.
🎭 Social Engineering Evolution
The WebRAT campaign's use of GitHub repositories to distribute malware represents sophisticated social engineering targeting cybersecurity professionals. By masquerading as legitimate security research and proof-of-concept exploits, attackers exploit the trust and curiosity of security researchers. This trend of "watering hole" attacks on security community resources is likely to continue.
🌐 APT Groups Advancing TTPs
Advanced Persistent Threat groups like Evasive Panda and Cloud Atlas continue evolving their tactics, techniques, and procedures (TTPs). The use of DNS poisoning combined with AitM attacks demonstrates sophisticated understanding of network protocols and infrastructure. These groups maintain persistent campaigns spanning multiple years, indicating well-resourced and patient adversaries.
🛠️ Defensive Evasion Tools Proliferation
The emergence of NtKiller malware—advertised on dark web forums as capable of terminating antivirus and EDR solutions—represents a concerning trend. These defensive evasion tools lower the barrier for less sophisticated attackers to bypass security controls, potentially enabling ransomware operators and initial access brokers to compromise well-defended networks.
👮 Law Enforcement Successes
INTERPOL's Operation Sentinel (574 arrests, $3M recovered) and the takedown of RaccoonO365 phishing-as-a-service in Nigeria demonstrate increasing international cooperation in combating cybercrime. However, the scale of ongoing attacks suggests these successes, while significant, represent only a fraction of the broader threat landscape.
✅ Recommendations & Best Practices
🔧 Immediate Actions
- Patch Critical Infrastructure: Immediately update FortiGate, WatchGuard, SonicWall, and other edge devices. Prioritize systems with active exploitation evidence.
- Audit LDAP Configurations: Review LDAP integration settings for case-sensitivity issues that could enable authentication bypass.
- Verify DNS Integrity: Conduct DNS configuration audits to detect unauthorized changes or poisoning indicators.
- Update Web Frameworks: Ensure Next.js, React, and other JavaScript frameworks are current to prevent exploitation like Operation PCPcat.
- Review 2FA Implementation: Verify that two-factor authentication cannot be bypassed through configuration weaknesses.
🛡️ Security Posture Improvements
- Implement Regular Security Scanning: Use automated tools like ScanFortress to continuously monitor for vulnerabilities, misconfigurations, and security weaknesses.
- Deploy Comprehensive Security Headers: Ensure proper implementation of CSP, HSTS, X-Frame-Options, and other protective headers.
- Enable Cookie Security Flags: Configure HttpOnly, Secure, and SameSite attributes on all authentication cookies.
- Monitor DNS Resolution: Implement DNS monitoring to detect poisoning attempts and unauthorized record changes.
- Validate SSL/TLS Configurations: Regular certificate audits prevent man-in-the-middle attacks and ensure proper encryption.
📋 Operational Best Practices
- Establish Patch Management Cadence: Create systematic processes for identifying, testing, and deploying security patches within defined timeframes.
- Conduct Security Awareness Training: Educate teams about social engineering tactics, especially those targeting security professionals via GitHub and code repositories.
- Implement Network Segmentation: Isolate critical systems to limit lateral movement if perimeter defenses are breached.
- Deploy EDR with Tamper Protection: Use endpoint detection and response solutions with protections against termination attempts like NtKiller.
- Maintain Asset Inventory: Keep current records of all internet-facing assets, frameworks, and versions to facilitate rapid vulnerability assessment.
🔍 Detection & Monitoring
- Enable Comprehensive Logging: Ensure authentication attempts, DNS queries, and configuration changes are logged and monitored.
- Implement Anomaly Detection: Deploy systems to identify unusual authentication patterns, DNS resolution behavior, or network traffic.
- Monitor GitHub/Code Repositories: If your organization uses public repositories, monitor for suspicious forks or references that could indicate targeting.
- Regular Vulnerability Assessments: Schedule recurring security scans to identify new vulnerabilities as they emerge.
- Threat Intelligence Integration: Subscribe to threat feeds and integrate indicators of compromise (IoCs) into security monitoring systems.
🎯 Take Action Now
Don't become another statistic in next week's threat report. The vulnerabilities and attack techniques described above are actively being exploited right now. ScanFortress provides the automated, comprehensive security scanning your website needs to stay protected.
✨ Start your free security scan today and receive a detailed report identifying vulnerabilities, misconfigurations, and actionable recommendations to strengthen your security posture.
🔒 Remember: Regular security scanning isn't just a best practice—it's essential protection against the evolving threat landscape. Make 2026 the year your website security becomes proactive, not reactive.