February Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Escalated Microsoft 365 configuration review

An escalated Microsoft 365 configuration review is a relatively new offering from the digital forensics and incident response team. During such a review, the team analyzes the technical settings of a client's environment, outside of any potential event, to reduce the risk of a compromise. The review allows the team to provide insights about technical hardening to strengthen the security posture of the environment. 

As a case study, the team shared information about a recent configuration review performed for a national insurance company. For the review, team members conducted an analysis based on the Cybersecurity and Infrastructure Security Agency's secure configuration baseline policy and conducted a high-level review of recent login data for all users, looking for suspicious activity involving IP addresses, internet service providers, user agent strings, and other known indicators of compromise. They observed user agent Axios being used as a phish kit, which is a tool that can allow threat actors to automate account takeovers and help them to evade detection, exfiltrate data, and even bypass multifactor authentication. The team reviewed the user session IDs to gauge the legitimacy of the activity. All of the session IDs were new, indicating malicious activity, and the client verified this conclusion. 

The team worked with the client to escalate a full business email compromise investigation where team members conducted password resets and session revocations. In addition, the team provided deeper insights than a typical Microsoft 365 configuration review provides to keep the client safe from similar threats moving forward.

Notable vulnerabilities

As many as 5,485 newly disclosed vulnerabilities were reported in December 2025, a steep increase from November. Twenty-two of the vulnerabilities were actively exploited on a wide range of products, including Meta, Array Networks, Fortinet, Microsoft, Google, Gladinet, and ASUS, to name a few. Proof-of-concept codes were released for 11 of the vulnerabilities, making the information available for threat actors to use for exploitation. 

The team discussed in detail the React2Shell remote code execution vulnerability. The React2Shell vulnerability targets React Server Components versions 19, 19.1, 19.1.1, and 19.2, which also affect specific server-side packages and indirectly affect frameworks that use React Server Components. The vulnerability is a deserialization flaw that improperly validates the structure of incoming flight payloads. To execute an attack, the threat actor sends a specially crafted HTTP request with the malformed flight stream data. The server deserializes and processes the request, leading to attacker-controlled data influencing the server-side execution logic. Remote code execution occurs within the privileges of the Node.js process. Honeypot activity was reported through malicious activity, including brute-force attacks, from 40 unique IP addresses. Two China-based threat actors, Earth Lamia and Jackpot Panda, and a few North Korea-linked threat actors are responsible for the 1,124 exploitation attempts. 

During Microsoft Patch Tuesday in December, 57 reported vulnerabilities were addressed. Two of those were critical vulnerabilities, both involving remote code execution and the compatibility field. Three were zero-day exploits, including a Windows Cloud Files Mini Filter Driver vulnerability, which was an elevation of privilege flaw that was successfully exploited in the wild, a GitHub CoPilot for JetBrains vulnerability, and a PowerShell exploit.

In January, 114 reported vulnerabilities were addressed during Microsoft Patch Tuesday, exactly double the number from December. Of those 114, eight were critical vulnerabilities, and three were zero-day exploits. Most of the eight critical vulnerabilities included Microsoft Office Suite, Windows LSASS, and the virtualization-based security products. The zero days included a Desktop Window Manager vulnerability, which was exploited in the wild, an Agere soft-modem driver vulnerability, and a Secure Boot certificate vulnerability. 

SOC use of AI

The security operations center (SOC) team receives frequent questions from clients about artificial intelligence (AI). Clients want to know how Pondurance is implementing AI technology, so the team provided answered. The team does not see AI as a replacement for human analysts. Rather, the team views AI as another tool to assist with investigations and responses to cybersecurity alerts. 

The SOC team explained a few specific ways it uses AI:

• Streamline the workflow. The SOC team is always looking for ways to improve its workflow to increase accuracy and efficiency — and AI can help. AI technology can assist with deduplication of events across different alerting source types to reduce the alert volume in the queue. Also, AI can correlate related events across multiple sources into one alert that includes all the available context. This correlation allows for speedier investigations, provides more valuable context about what is happening, and allows the SOC analyst to investigate and come to a better disposition.

• Understand normal behavior. The SOC team currently uses client feedback and alert history to understand what "normal" looks like for a client's environment, but it can sometimes be a challenge. AI's learnings from past activity can expedite the process of determining if an alert is a false positive or requires escalation, allowing the team to quickly take appropriate action. 

• Use cross-customer threat intelligence. The SOC team applies what it has learned about one client to other clients to help keep them safe. Now, AI can help by constantly searching for indicators of compromise across all Pondurance clients. That way, the SOC team can more quickly identify phishing campaigns and other activities that are being exploited in the wild across the entire client base to allow for faster remediation.

The team also discussed how its analyst-in-the-loop model for using AI protects the human experience. AI works as a powerful tool to aid analysts during day-to-day operations, not replace analysts. Team members always use a trust but verify approach, meaning that they trust the technology but don't use AI as a decision-maker and do confirm the accuracy and completeness of the AI information before moving it forward. The team believes in protecting human interaction, human response, and human experience throughout the process.

In addition, the SOC team uses AI as a means of improvement and development. Team members work in parity with AI and large language models to review suspect commands and scripts, pair AI with their existing threat intelligence feeds to provide additional avenues for event investigation and threat hunting, reference existing LogScale queries to assist with searches and dashboard logic improvement, and use the technology for technical report writing assistance.

Password blocklist

Implementing a password blocklist is a simple way for clients to make sure that employees are using strong passwords for logins. A blocklist is a tool that checks an employee's  proposed password against a list of weak or common passwords, usually based on the data compiled for haveibeenpwned.com. If the employee's proposed password is on the list, the employee will receive an error message and must try a different password. The team recommends that all clients enable a blocklist and used Microsoft Entra to demonstrate how a blocklist works.

Microsoft Entra provides a list of 1,000 banned passwords, but the team suggests that clients replace at least 10 to 20 of those passwords with their own renditions of passwords. Often, employees use the names of sports teams, localities, company products, or industry names as passwords, and these words should be banned as passwords since they are too easy for threat actors to guess. As an example, the team discussed how it added the words Pondurance, cybersecurity, scorecard, and Indianapolis to its own blocklist. 

From there, the tool will apply an algorithm to figure out the many different permutations of those words, such as adding 1234 or ABC to the end of the password. However, the team noted that it has seen a few weaknesses in the permutations including:

• Double substitution. Two characters used to substitute for one character, such as using a pipe character and a right parenthesis to create the letter D.

• Keyboard walking. Passwords made up of keys located next to each other on the keyboard, such as qwerty or xcvbnm.

• Foreign characters. Only English words or characters are considered.

As best practices, the team recommends creating passwords that are all lowercase and using an eight-character minimum (but using a six-character minimum for the passwords entered into the blocklist to allow for permutations). In addition, the team suggests doing password checkups where clients check with employees about whether they are using the password managers within their browsers. It's important to control the use of password managers in the browsers because a password can remain in an employee's personal password manager even after the employee has left the company, leading to potential exposure for the company. Clients can enter a Scope service ticket for more information on how to perform a password checkup.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our SOC, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.