Insights

This week, Patrick Kelley, CEO of both Léargas Security and Critical Path Security, will be attending Consensus 2025 in Toronto, Ontario. While the companies are not formal sponsors of the event, Mr. Kelley's presence reflects the growing commitment by both organizations to remain at the forefront of global cybersecurity trends-particularly where blockchain, digital identity, and threat intelligence converge. Consensus 2025, hosted by CoinDesk, is one of the premier gatherings for leaders across the blockchain, digital asset, Web3, and cybersecurity ecosystems. With the rapid expansion of decentralized technologies into critical infrastructure, finance, and identity frameworks, the implications for national and global security are profound. Operating across both Canada and the United States, Léargas and Critical Path Security continue to provide advanced security services, including XDR, incident response, and cyber risk leadership, to clients on both sides of the border. Participation in events like Consensus enables the teams to assess not only…

Critical Path Security - Threat Intelligence Report Date: May 2025Prepared by: Critical Path Security Research Team Executive Summary In a rare and highly consequential breach of operational secrecy, internal chat logs from the LockBit3 ransomware group have been leaked to the public. This unique intelligence provides cybersecurity professionals and defenders with an unparalleled opportunity to examine the internal communications of one of the most prolific ransomware syndicates in recent history. The Critical Path Security research team analysed more than 4,400 messages exchanged between LockBit affiliates and their victims. This report outlines significant trends in threat actor behaviour, negotiation tactics, and operational cadence, based on detailed analysis of the chat data. Key Findings Volume of Communications A total of 4,423 messages were reviewed, capturing the full breadth of negotiation stages-from initial victim outreach to ransom payment instructions. Average Ransom Demand Across the dataset, ransom demands averaged approximately $32,223 CAD, with most…

SonicWall has issued an urgent security advisory addressing multiple critical vulnerabilities in its Secure Mobile Access (SMA) series. These flaws-now confirmed to be actively exploited-pose a serious risk to organizations relying on SonicWall's SSL VPN appliances to secure remote access. What's at Stake? Three vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) have been disclosed affecting the following SMA appliances: SMA 200 SMA 210 SMA 400 SMA 410 SMA 500v When chained together, these vulnerabilities can allow an attacker with valid SSL VPN user credentials to execute arbitrary code with root privileges. This grants full system control and could be used to pivot into internal networks, exfiltrate data, or deploy ransomware. Breakdown of the Exploits: CVE-2025-32819: Enables attackers to delete the primary SQLite database and reset the admin password, giving them admin access to the web interface. CVE-2025-32820: A path traversal vulnerability that makes the /bin directory writable. CVE-2025-32821: Allows an attacker to…

A newly discovered technique is being leveraged by threat actors to bypass Endpoint Detection and Response (EDR) protections-specifically those provided by SentinelOne-through an abuse of its own update process. Dubbed the "Bring Your Own Installer" (BYOI) technique, this method disables the EDR's defenses long enough to allow for the deployment of ransomware, such as variants of Babuk, without interference. How the BYOI Technique Works Most EDR platforms, including SentinelOne, are designed with anti-tamper features that prevent uninstallation or modification without authorization-typically requiring administrative access or a unique passphrase. However, attackers have found a workaround that exploits the EDR's legitimate update mechanism. During an upgrade or downgrade, SentinelOne temporarily stops its active protections to replace the running components. By forcibly interrupting this process mid-way, threat actors leave the system in a vulnerable state-protection disabled, upgrade incomplete, and no alerts triggered. At this point, ransomware can be deployed with impunity. This method…