Weekly Threat Landscape Digest – Week 36
This week’s threat landscape underscores how attackers continue to blend newly disclosed flaws with well-known weaknesses and supply chain exposures. Campaigns increasingly rely on a mix of technical exploits and human manipulation to achieve persistence and impact. Organizations should focus on timely patch management, end-to-end visibility across infrastructure, and strong identity protections. Building resilience requires enforcing least privilege, enabling multi-factor authentication everywhere, and investing in both automated defenses and ongoing security awareness for employees.
- Security Updates – Google Chrome
Google has released security updates for Chrome 140 (140.0.7339.80/81), promoted to the Stable Channel for Windows, macOS, and Linux. This release addresses six vulnerabilities, including a high-severity use-after-free flaw in the V8 JavaScript engine (CVE-2025-9864) that could allow remote code execution via crafted web content.
Vulnerability Details
- CVE-2025-9864 (High, V8 JavaScript Engine): Use-after-free vulnerability that may allow remote attackers to execute arbitrary code when users access malicious web content.
- CVE-2025-9865 (Medium, Toolbar): Inappropriate implementation that could allow privilege misuse or unexpected behaviors.
- CVE-2025-9866 (Medium, Extensions): Improper handling in extensions could enable malicious plugins to bypass security restrictions.
- CVE-2025-9867 (Medium, Downloads): Inappropriate implementation could allow harmful downloads to bypass security warnings.
Fixed Versions
- Linux: Chrome 140.0.7339.80
- Windows and Mac: Chrome 140.0.7339.80/81
Recommendations
- Update Chrome to the latest available version immediately.
- Enable automatic updates to ensure timely patching of future vulnerabilities.
- Restart the browser after updating to fully apply the fixes.
Reference
https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop.html
- High-Severity Vulnerability in Red Hat Udisks Daemon
A high-severity flaw has been discovered in the Red Hat Udisks daemon, a component providing a D-BUS interface for managing storage devices on Linux systems. The vulnerability (CVE-2025-8067) allows unprivileged local users to exploit an out-of-bounds read issue, potentially accessing files owned by privileged accounts or causing the daemon to crash.
Vulnerability Details
- CVE ID: CVE-2025-8067
- CVSS Score: 8.5 (High)
- Type: Out-of-bounds read
- Description: The Udisks daemon fails to properly validate that the file index parameter is non-negative in loop device management. Negative indices may cause memory reads outside the intended bounds. This could expose sensitive memory, including cryptographic materials, or trigger process crashes leading to denial-of-service (DoS).
Affected Products
- Red Hat Enterprise Linux (RHEL):
- RHEL 6 (udisks) → No patches due to end-of-life (EOL).
- RHEL 7, 8, 9, 10 (udisks2).
Remediation
- Apply the updated Udisks packages released by Red Hat.
- For RHEL 6, which is EOL, organizations should migrate to a supported version.
Recommendations
- Install the latest security updates provided by Red Hat.
- Restrict unprivileged user access on systems until patched.
- Monitor system logs for unusual crashes or storage access attempts.
Reference
https://access.redhat.com/security/cve/CVE-2025-8067
- WhatsApp Patches Zero-Click Vulnerability Exploited in Sophisticated Attacks
WhatsApp has released emergency security updates to address a critical zero-click vulnerability (CVE-2025-55177) in its iOS and macOS apps that has been actively exploited in targeted attacks. This flaw has been observed in conjunction with Apple ImageIO vulnerability (CVE-2025-43300), forming an exploit chain capable of achieving full device compromise.
Vulnerability Details
- CVE-2025-55177
- Type: Incomplete Authorization / Improper Access Control
- Impact: Allows a remote attacker to trigger the processing of arbitrary content via linked device synchronization messages.
- Attack Vector: Zero-click (no user interaction required).
- Severity: CVSS 8.0 (CISA-ADP) / 5.4 (Meta).
- Exploitation: Actively exploited in targeted attacks.
- CVE-2025-43300
- Type: Out-of-Bounds Write in Apple ImageIO Framework
- Impact: Memory corruption when processing malicious images.
- Chain: Used alongside CVE-2025-55177 to enable remote code execution and persistence.
Attack Characteristics
- Delivered via zero-click methods, requiring no user interaction.
- Exploits linked device synchronization to process malicious URLs.
- Capable of achieving full device compromise and spyware installation.
Recommendations
- Update WhatsApp to the latest version immediately.
- Update iOS, iPadOS, and macOS devices to the latest patched releases.
- If compromise is suspected, perform a full factory reset of the device.
- Enable automatic updates for apps and operating systems to minimize exposure.
Reference
https://www.whatsapp.com/security/advisories/2025
- Actively Exploited Zero-Day Vulnerability in FreePBX
The Sangoma FreePBX Security Team has issued an urgent warning about an actively exploited zero-day vulnerability (CVE-2025-57819) affecting FreePBX systems that expose the Administrator Control Panel (ACP) to the public internet. This flaw, rated Critical (CVSS 10.0), allows attackers to achieve remote code execution, manipulate databases, and fully compromise affected systems.
Vulnerability Details
- CVE ID: CVE-2025-57819
- Severity: Critical (CVSS 10.0)
- Status: Actively exploited in the wild
- Affected Products: FreePBX 15, 16, 17
- Impact: Remote code execution, arbitrary database manipulation, and full system compromise
Affected & Patched Versions
- FreePBX 15: Vulnerable prior to 15.0.66 → Patched in 15.0.66
- FreePBX 16: Vulnerable prior to 16.0.89 → Patched in 16.0.89
- FreePBX 17: Vulnerable prior to 17.0.3 → Patched in 17.0.3
Indicators of Compromise (IOCs)
- /etc/freepbx.conf file recently modified or missing
- Presence of /var/www/html/.clean.sh (not legitimate on normal systems)
- Unusual POST requests to modular.php in web server logs
- Suspicious phone calls placed to extension 9998 in call logs/CDRs (unless intentionally configured)
- Unknown or suspicious ampuser entries in the database
Recommendations
- Upgrade to the latest patched versions immediately.
- Search systems and logs for the listed IOCs.
- Disconnect potentially compromised systems from the network if compromise is suspected.
- Restrict public access to the FreePBX Administrator Control Panel.
- Implement IP allowlisting and Access Control Lists (ACLs) for administrative interfaces.
Reference
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c5f3h
- Critical Vulnerabilities in Drupal Products
Multiple Drupal contributed modules that have been marked as unsupported due to unresolved security issues. These unsupported modules pose a critical risk to Drupal sites, as they will not receive security patches and remain vulnerable to exploitation.
Vulnerability Details
- CVE-2025-9552 – Synchronize composer.json With Contrib Modules
• Severity: Critical
• Affected Versions: All
• Status: Unsupported
• Description: Contains known vulnerabilities; project is no longer supported. - CVE-2025-9553 – API Key Manager
• Severity: Critical
• Affected Versions: All
• Status: Unsupported
• Description: Module has unresolved security issues and has been deprecated. - CVE-2025-9554 – Owl Carousel 2
• Severity: Critical
• Affected Versions: All
• Status: Unsupported
• Description: Known security issues remain unpatched; project is unsupported.
Impact
Use of these unsupported modules exposes Drupal environments to serious threats, including:
- Remote Code Execution (RCE)
- Privilege Escalation
- Sensitive Data Exposure
- Cross-Site Scripting (XSS)
- Compromise of API keys and configuration integrity
Recommendations
- Immediately uninstall all listed unsupported modules from Drupal environments.
- Avoid deploying unsupported contributed projects in production.
- Regularly monitor the Drupal Security Advisories page for new updates.
- Notify subsidiaries and partners of these risks, and share any relevant findings with the UAE Cyber Security Council.
References
- https://www.drupal.org/sa-contrib-2025-102
- https://www.drupal.org/sa-contrib-2025-103
- https://www.drupal.org/sa-contrib-2025-104
- Multiple Vulnerabilities in Hikvision Products
Hikvision has released patches for multiple vulnerabilities identified in its HikCentral product line. If exploited, these flaws could enable command injection, privilege escalation, or unauthorized access, potentially compromising critical security infrastructure.
Vulnerability Details
- CVE-2025-39245 – CSV Injection Vulnerability
• CVSS v3.1: 4.7 (Medium)
• Affected Product: HikCentral Master Lite (V2.2.1–V2.3.2)
• Impact: Attackers may embed malicious commands or formulas within CSV export files, which could execute when opened in spreadsheet applications. - CVE-2025-39246 – Unquoted Service Path Vulnerability
• CVSS v3.1: 5.3 (Medium)
• Affected Product: HikCentral FocSign (V1.4.0–V2.2.0)
• Impact: Local authenticated users may exploit unquoted service paths to escalate privileges by planting malicious executables in service directories. - CVE-2025-39247 – Access Control Vulnerability
• CVSS v3.1: 8.6 (High)
• Affected Product: HikCentral Professional (V2.3.1–V2.6.2, V3.0.0)
• Impact: Enables unauthenticated remote attackers to gain administrative privileges, leading to complete system compromise.
Fixed Versions
- HikCentral Master Lite: V2.4.0
- HikCentral FocSign: V2.3.0
- HikCentral Professional: V2.6.3 or V3.0.1
Recommendations
- Update all affected HikCentral products to the fixed or latest versions.
- Restrict administrative interface access to trusted networks.
- Monitor logs for suspicious privilege escalation or unauthorized access attempts.
- Enforce strict least-privilege access policies for local and remote accounts.
Reference
- Stored XSS Vulnerability in IPFire Web Interface
A critical stored cross-site scripting (XSS) vulnerability has been identified in the IPFire firewall management interface (firewall.cgi). Exploitation allows attackers with administrator-level access to inject persistent JavaScript payloads into firewall rules. This could lead to session hijacking, unauthorized administrative actions, and lateral movement within internal networks.
Vulnerability Details
- CVE ID: CVE-2025-50975
- Affected Version: IPFire 2.29
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Attack Vector: Web Interface
- Complexity: Low
- Impact: Confidentiality & Integrity
Attack Characteristics
- Payload executes whenever other administrators view firewall rules.
- Enables session hijacking via cookie theft.
- Allows unauthorized administrative actions such as altering firewall rules.
- Can facilitate pivoting and lateral movement into internal network systems.
Recommendations
- Update IPFire: Apply latest patches or upgrade beyond version 2.29 with improved input validation.
- Restrict Admin Access: Limit GUI-privileged users and enforce multi-factor authentication (MFA).
- Implement Content Security Policy (CSP): Deploy a strict CSP header to mitigate XSS payload execution.
- Audit Firewall Rules: Regularly review for anomalous entries or embedded scripts.
- Monitor and Respond: Watch for unusual session activity and reset credentials if compromise is suspected.
Reference
- Multiple Vulnerabilities in QNAP Legacy VioStor NVR Systems
QNAP has released patches to address multiple vulnerabilities affecting legacy VioStor Network Video Recorder (NVR) systems. Successful exploitation could allow attackers to bypass authentication, gain unauthorized access, and expose sensitive surveillance data.
Vulnerability Details
- CVE-2025-52856 – Improper Authentication
• Severity: Important
• Description: Authentication bypass vulnerability that enables remote attackers to access systems without valid credentials.
• Impact: Unauthorized access to surveillance data and critical system controls. - CVE-2025-52861 – Path Traversal
• Severity: Important
• Description: Path traversal flaw enabling attackers with administrator-level access to read arbitrary files outside of intended permissions.
• Impact: Escalates the impact of compromised accounts, potentially exposing sensitive data.
Affected Products
- Legacy VioStor NVR systems running QVR 5.1.x firmware
Fixed Versions
- QVR 5.1.6 build 20250621 or later
Recommendations
- Upgrade to QVR 5.1.6 build 20250621 or later immediately.
- Restrict remote access to NVR systems and apply network segmentation.
- Monitor for abnormal login attempts or suspicious access to surveillance data.
- Regularly review user accounts and permissions for signs of compromise.
Reference
- Critical Vulnerability in NeuVector
A critical vulnerability has been disclosed in NeuVector, an open-source container security platform for Kubernetes. The flaw allows unauthorized users within the cluster environment to gain administrative access due to the use of a fixed default password under certain initialization conditions.
Vulnerability Details
- CVE ID: CVE-2025-8077
- CVSS Score: 9.8 (Critical)
- Vulnerability Type: Hardcoded/fixed default password
- Root Cause: NeuVector falls back to a static default admin password if the neuvector-bootstrap-secret is not available during initialization.
- Affected Versions: NeuVector 5.0.0 – 5.4.5
- Fixed Versions: NeuVector 5.4.6 or later
Impact
- Unauthorized administrative access to NeuVector API within the cluster.
- Attackers can authenticate with default credentials, generate tokens, and invoke privileged API operations.
- Exploitable over the network from within the Kubernetes cluster.
- No privileges required and low complexity (simple login with known credentials).
Recommendations
- Upgrade to NeuVector 5.4.6 or later immediately.
- Audit Kubernetes Secrets to ensure proper initialization of bootstrap credentials.
- Restrict network access to NeuVector API endpoints to trusted workloads only.
- Continuously monitor Kubernetes cluster logs for anomalous authentication events.
Reference
- Security Updates – Android (September 2025 Bulletin)
Google has released the September 2025 Android Security Bulletin, addressing multiple vulnerabilities across the Android Framework, System, Kernel, and vendor components (MediaTek, Qualcomm, and Arm). The update includes fixes for two actively exploited vulnerabilities, alongside a critical remote code execution (RCE) flaw in the Android System component.
Vulnerability Details
- CVE-2025-48539 – Android System RCE
• Severity: Critical
• Description: Remote code execution vulnerability requiring no user interaction.
• Impact: An attacker within Wi-Fi or Bluetooth proximity could fully compromise the device. - CVE-2025-38352 – Kernel Race Condition
• CVSS Score: 7.4 (High)
• Description: Race condition in posix-cpu-timers leading to denial-of-service (DoS) and system instability.
• Status: Actively exploited in the wild. - CVE-2025-48543 – Android Runtime Privilege Escalation
• Severity: High
• Description: Local privilege escalation vulnerability enabling attackers to gain elevated privileges.
• Status: Actively exploited in the wild.
Recommendations
- Update Immediately: Apply the September 2025-09-05 security patch level or later.
- Patch Management: Prioritize rollout of updates across all corporate and personal devices.
- Monitor Exploitation: Track for signs of exploitation of CVE-2025-38352 and CVE-2025-48543.
- Mobile Threat Defense (MTD): Deploy endpoint protection capable of detecting privilege escalation and kernel exploitation attempts.
Reference
- Security Updates – NVIDIA
NVIDIA has released security updates to address multiple vulnerabilities across BlueField, ConnectX, DOCA, Mellanox DPDK, Cumulus Linux, and NVOS. Exploitation of these flaws may result in privilege escalation, information disclosure, denial of service (DoS), or unauthorized configuration modifications.
High-Severity Vulnerabilities
- CVE-2025-23256 – BlueField Management Interface
• Impact: Incorrect authorization could allow local attackers to modify configurations. - CVE-2025-23257 – DOCA (collectx-clxapidev)
• Impact: Privilege escalation vulnerability in Debian package. - CVE-2025-23258 – DOCA (collectx-dpeserver, arm64)
• Impact: Privilege escalation vulnerability in Debian package.
Medium-Severity Vulnerabilities
- CVE-2025-23259 – Mellanox DPDK
• Impact: Poll Mode Driver (PMD) flaw may lead to information disclosure or DoS from a VM. - CVE-2025-23262 – ConnectX Management Interface
• Impact: Could allow unauthorized modification of configurations. - CVE-2025-23261 – Cumulus Linux / NVOS
• Impact: Hashed user passwords may be improperly logged, risking information disclosure.
Affected Products and Fixed Versions
- NVIDIA DOCA
• collectx-clxapidev: Fixed in 2.9.3, 3.0.0
• collectx-dpeserver (arm64): Fixed in 2.5.4, 2.9.3, 3.0.0 - NVIDIA BlueField
• GA: Fixed in 45.1020
• LTS22: Fixed in 35.4554
• LTS23: Fixed in 39.5050
• LTS24: Fixed in 43.3608 - NVIDIA ConnectX
• GA: Fixed in 45.1020
• LTS22: Fixed in 35.4554
• LTS23: Fixed in 39.5050
• LTS24: Fixed in 43.3608
• ConnectX-4: Fix pending (12.28.4704, expected end of September)
• ConnectX-4 LX: Fix pending (14.32.1908, expected end of September) - Mellanox DPDK
• Fixed in 22.11_2504.1.0, 22.11_2410.4.0 LTS, 22.11_2310.6.0 LTS, 20.11.7.9.0, 25.07, 24.11.3 LTS, 23.11.5 LTS, 22.11.10 LTS - NVOS / Cumulus Linux
• NVOS: Fixed in 25.02.42xx, 25.02.4xxx
• Cumulus Linux: Fixed in 5.13, 5.11.0.0026, 5.11.1.1009, 5.9.2.0020, 5.9.0.0032
Recommendations
- Apply the latest NVIDIA security updates as per product advisories.
- Prioritize patching of BlueField and DOCA components due to privilege escalation risks.
- Restrict access to management interfaces and review system logs for unauthorized activity.
- Monitor vendor announcements for pending ConnectX-4 fixes.
Reference
- Security Updates – MediaTek Chipsets
MediaTek has released its September 2025 security updates, addressing multiple vulnerabilities in modem and system components across various chipset models. These flaws could enable remote or local privilege escalation, as well as denial-of-service (DoS) attacks, affecting a broad range of mobile devices and IoT platforms.
High-Severity Vulnerabilities
- CVE-2025-20708 – Out-of-Bounds Write (Modem Subsystem)
• CWE: 787
• Impact: Remote privilege escalation without user interaction when connecting to a rogue base station.
• Affected: Over 70 chipset models, including MT6853, MT6877, MT6899, MT6980, MT8893 (modem firmware NR15–NR17R). - CVE-2025-20703 – Out-of-Bounds Read (Modem Subsystem)
• CWE: 125
• Impact: Remote DoS under similar conditions as above.
• Affected: Same chipset and firmware range as CVE-2025-20708. - CVE-2025-20704 – Out-of-Bounds Write (Modem NR17/NR17R)
• CWE: 787
• Impact: Remote privilege escalation requiring limited user interaction.
• Affected: Narrower subset including MT6835T, MT6878M, MT8883.
Medium-Severity Vulnerabilities
- CVE-2025-20705 – Use-After-Free (monitor_hang driver)
• CWE: 416
• Impact: Local privilege escalation if attacker has System privileges.
• Affected: Android 13.0–16.0, OpenWRT 19.07/21.02, Yocto 2.6.
• Chipsets: MT6765, MT6789, MT8169, and others. - CVE-2025-20706 – Use-After-Free (mbrain component)
• Impact: Local escalation on Android 14.0–15.0 devices.
• Affected Chipsets: MT6989, MT8678. - CVE-2025-20707 – Use-After-Free (geniezone module)
• Impact: Local escalation on Android 13.0–15.0 devices.
• Affected Chipsets: MT6853, MT8792, MT8883.
Recommendations
- Ensure all affected MediaTek chipset devices receive the latest firmware or OS updates from OEMs or software vendors.
- Apply the September 2025 security patches as a priority.
- Limit exposure to rogue base stations by enforcing secure connectivity policies.
- Monitor device behavior for crashes, instability, or suspicious privilege escalation attempts.
Reference
- Arbitrary Code Execution Vulnerability in HP Poly Devices
HP has disclosed a high-severity vulnerability affecting Poly Video and Voice devices running on the Android platform. The flaw resides in the FreeType font library and could allow remote attackers to execute arbitrary code. Exploitation may lead to elevation of privilege and information disclosure, threatening the confidentiality, integrity, and availability of affected systems.
Vulnerability Details
- CVE ID: CVE-2025-27363
- CVSS v3.1 Base Score: 8.1 (High)
• Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - Vulnerability Type: Arbitrary Code Execution
- Component Affected: FreeType Font Library
- Attack Vector: Network-based exploitation
- Impact:
• Remote Code Execution
• Elevation of Privilege
• Information Disclosure
Affected Products and Fixed Versions
- Video Codecs: PolyOS 4.6 / PolyOS 5.0
- Poly Touch Controllers: TCOS 6.6 / TCOS 7.0
- CCX Phones: PVOS 9.2.0
- Trio C60 Phones: PVOS 9.2.0
Recommendations
- Update to Latest Version: Apply firmware and software updates using Poly Lens Desktop or Poly Lens Cloud.
- Ongoing Monitoring: Regularly check the HP Security Bulletin and Poly Lens notifications for new updates.
- Restrict Exposure: Limit device access to trusted networks until updates are applied.
Reference
- High-Severity Vulnerability in IBM Watsonx Orchestrate Cartridge
IBM has disclosed a high-severity vulnerability in the Watsonx Orchestrate Cartridge for IBM Cloud Pak for Data. The flaw allows blind SQL injection attacks, enabling authenticated users to execute crafted SQL statements on the back-end database. Exploitation could result in unauthorized data access, modification, or deletion, posing serious risks to confidentiality, integrity, and availability.
Vulnerability Details
- CVE ID: CVE-2025-0165
- CVSS Score: 7.6 (High)
- Vulnerability Type: Blind SQL Injection
- Attack Vector: Authenticated user access via unsanitized input fields
- Impact:
• Confidentiality: Exposure of sensitive data such as credentials and proprietary information
• Integrity: Unauthorized modification or insertion of database records
• Availability: Deletion or corruption of critical tables, leading to service disruption
Affected Versions
- Watsonx Orchestrate Cartridge 4.8.4 – 4.8.5
- Watsonx Orchestrate Cartridge 5.0.0 – 5.2
Fixed Version
- IBM Watsonx Orchestrate Cartridge 5.2.0.1
Recommendations
- Upgrade to version 5.2.0.1 or later immediately.
- Restrict access to workflows with database interaction until updates are applied.
- Monitor database activity for suspicious queries or unexpected schema changes.
- Review audit logs for unauthorized access attempts.
Reference
- Multiple Vulnerabilities in Sitecore Experience Platform
Security researchers have disclosed multiple vulnerabilities in the Sitecore Experience Platform (XP) that could enable attackers to compromise enterprise websites. The issues include HTML cache poisoning, remote code execution, and sensitive data exposure through APIs. Exploitation requires little to no authentication, making these flaws particularly dangerous for publicly accessible Sitecore environments.
Vulnerability Details
- CVE-2025-53693 – HTML Cache Poisoning
• Type: Unsafe reflections in HTML caching
• Impact: Allows pre-authentication cache manipulation and malicious HTML injection.
• Characteristics: No credentials required, stealthy persistence, and potential global reach. - CVE-2025-53691 – Remote Code Execution (RCE)
• Type: Insecure deserialization in ConvertToRuntimeHtml pipeline
• Impact: Enables arbitrary code execution on vulnerable servers. - CVE-2025-53694 – Information Disclosure
• Type: Weakness in ItemServices API
• Impact: Exposes cacheable items and sensitive information if API is internet-accessible.
Affected Versions
- Sitecore XP version 10.4.1 and earlier
Recommendations
- Patch Immediately: Apply the June/July 2025 Sitecore security updates.
- Restrict API Exposure: Limit access to the ItemServices API to trusted networks only.
- Enforce Access Controls: Review and minimize privileges in the Content Editor.
- Incident Response: Audit Sitecore instances for cache tampering or unauthorized activity, and restore compromised content from backups.
- Ongoing Security Assessment: Perform regular vulnerability scans and penetration testing.
Reference
- Cyber Espionage Targeting Networks Worldwide
Chinese Advanced Persistent Threat (APT) actors have been conducting widespread, persistent cyber espionage campaigns since at least 2021, targeting global telecommunications, government, transportation, lodging, and military infrastructure. These actors focus on backbone and edge routers but also pivot into internal segments using compromised devices and trusted connections. Activities include exploiting known vulnerabilities, establishing persistence, and exfiltrating sensitive data via covert channels with custom tools and novel protocols.
Exploited Vulnerabilities
- CVE-2024-21887 – Ivanti Connect Secure command injection (often chained with CVE-2023-46805)
- CVE-2024-3400 – Palo Alto PAN-OS arbitrary file creation → RCE on firewalls (GlobalProtect)
- CVE-2023-20273 – Cisco IOS XE command injection / privilege escalation (chained with CVE-2023-20198)
- CVE-2023-20198 – Cisco IOS XE authentication bypass → creation of admin accounts
- CVE-2018-0171 – Cisco IOS/IOS XE Smart Install RCE
Tactics, Techniques, and Procedures (TTPs)
- Initial Access: Exploit public-facing CVEs; leverage trusted provider relationships for lateral movement.
- Persistence: Modify ACLs; open/abuse non-standard ports (SSH, SFTP, HTTP); create local accounts; deploy persistent containers (Cisco Guest Shell); manipulate SNMP; establish GRE/IPsec tunnels.
- Defense Evasion: Obfuscate commands, clear/disable logs, use double encoding, delete artifacts, abuse hosting features.
- Data Collection & Exfiltration: Capture PCAPs, redirect authentication servers, manipulate AAA, deploy custom SFTP clients, and use multi-hop proxies/tools for C2 and exfiltration.
Recommendations
- Patch all network edge devices against listed CVEs; cross-check with the Known Exploited Vulnerabilities Catalog.
- Audit device configurations and logs for unauthorized ACLs, suspicious tunnels, external TACACS+/RADIUS servers, or packet capture commands.
- Change all default credentials (including SNMP community strings); enforce strong cryptography for Cisco (Type 8/Type 6).
- Isolate management networks; block unnecessary egress; restrict inbound access to management IPs.
- Enable secure centralized logging; monitor privileged command usage.
- Monitor for custom SFTP client binaries and use YARA rules for detection.
- Disable unused services/ports (Telnet/FTP/HTTP); enforce encrypted/authenticated protocols only.
- Harden VPN cryptographic settings and remove unused/default configurations.
- Disable Cisco Smart Install; monitor Guest Shell activity and restrict container creation.
- Restrict device-to-device logins; monitor for suspicious internal FTP/TFTP use.
- Perform regular integrity checks of firmware and configurations against vendor baselines.
Reference
- Storm-0501’s Evolving Techniques Lead to Cloud-Based Ransomware (Microsoft TI)
Microsoft reports that financially motivated actor Storm-0501 has shifted from traditional on-prem endpoint ransomware to cloud-native ransomware tactics. After gaining on-prem domain admin, the actor pivots to Microsoft Entra ID, escalates cloud privileges, exfiltrates data from Azure Storage, then destroys backups and data stores; where deletion is blocked, they encrypt blobs via Key Vault–backed encryption scopes and proceed to extortion.
Notable Tradecraft (Hybrid → Cloud)
- On-prem foothold & recon: checks MDE services (sc query sense|windefend), lateral movement via Evil-WinRM, DCSync for credential access.
- Pivot to cloud: abuses Entra Connect Sync DSA; maps attack paths with AzureHound; targets tenants with uneven Defender coverage and identity gaps.
- Identity escalation: resets password of a non-human synced Global Admin lacking MFA → registers new MFA; satisfies Conditional Access by locating a hybrid-joined device.
- Tenant backdoor: adds a malicious federated domain (via AADInternals) to mint SAML tokens and impersonate users.
- Azure takeover: runs Microsoft.Authorization/elevateAccess/action → assigns Owner across subscriptions; enumerates protections (resource locks, immutability).
- Data theft & impact: exposes Storage accounts, steals account keys (…/listkeys/action), exfiltrates via AzCopy, then mass-deletes snapshots/restore points/storage accounts & backup containers; removes locks and immutability policies to enable deletion. Where blocked, creates Key Vault + CMK, sets encryption scopes, and attempts “encrypt-and-delete”; follows with Teams-based extortion.
Recommendations (Priority Actions)
- Identity hardening: Enforce MFA (phishing-resistant) for all, remove GA ties to on-prem AD, restrict DSA sign-ins with Conditional Access; enable Entra ID Protection and monitor risky sign-ins.
- Entra Connect security: update to versions supporting modern auth; TPM-enable Connect servers; audit who can reset synced accounts.
- Azure controls: apply Resource Locks, Immutable Blob Storage (with legal hold/time-based retention), Key Vault soft-delete + purge-protection, private endpoints, and disable public access on Storage.
- Detection & hunting: monitor listed Azure operations; hunt for AADInternals/AzureHound usage; alert on Storage public access flips, SAS abuse, unusual AzCopy volumes, and role explosions (sudden Owner grants).
- Coverage & EDR: ensure Defender for Endpoint coverage on Entra Connect & critical servers; enable EDR in block mode and tamper protection.
- Backup resilience: enforce geo-redundant backups, test recovery, separate backup identities/tenants; monitor restore point and snapshot deletions.
Reference
- Amazon Disrupts Watering-Hole Campaign by Russia’s APT29 (Midnight Blizzard)
Amazon’s threat intel team disrupted an opportunistic watering-hole operation by APT29 that used compromised legitimate websites to redirect a subset of visitors to attacker-controlled pages mimicking Cloudflare checks, ultimately coercing users into Microsoft device code authentication to authorize attacker devices—no malware required.
Campaign Highlights
- Initial Vector: Compromised sites injected with obfuscated JavaScript; ~10% of visitors redirected.
- Lures & Infrastructure: Pages like findcloudflare[.]com and later cloudflare[.]redirectpartners[.]com imitated Cloudflare verification and funneled victims into device code auth flows.
- Evasion/Adaptation: Randomized redirection, Base64-encoded payloads, cookies to prevent repeat redirects, rapid migration to new infrastructure (including non-AWS) and switch from client-side to server-side redirects.
- Objective: Trick users into approving device authorization to hijack sessions/access—consistent with APT29’s credential and access-focused tradecraft.
Recent Context
- Oct 2024: Disruption of AWS-impersonating domains with RDP phishing.
- Jun 2025: Google TAG noted APT29 using application-specific passwords (ASPs) against academics/critics.
- This campaign continues the focus on credential harvesting and access at scale.
Recommendations
- For End Users:
- Treat unexpected verification/redirect pages with caution; verify any device authorization prompts before approving.
- Use MFA everywhere; be wary of pages asking to run commands (e.g., Win+R / “ClickFix”-style prompts).
- For Administrators:
- Review and, if possible, restrict or disable device code auth; enforce Conditional Access (device compliance, location, risk).
- Monitor new device authorizations and unusual redirect chains; log and alert on device code flows.
- Harden web gateways/EDR to detect obfuscated JS, Base64 in script blocks, and anomalous external redirects.
Reference
- Hackers Exploit WDAC Policies to Disable EDR Agents
Researchers report that threat actors, including ransomware groups like Black Basta, are abusing Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents at startup, creating major visibility gaps. What began as a PoC tool (“Krueger”) has now evolved into active malware campaigns, including a new family dubbed “DreamDemon”, showing growing sophistication in turning Microsoft’s own security feature against defenders.
Key Takeaways
- Initial PoC → Weaponization: “Krueger” (Dec 2024, .NET) demonstrated disabling EDR via WDAC; by 2025, multiple malware families adopted the technique.
- Targets: Policies crafted to block CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Symantec, Tanium, etc. Example:
- %OSDRIVE%\Program Files\CrowdStrike\*
- %SYSTEM32%\drivers\CrowdStrike\*
- DreamDemon Evolution: C++-compiled, embeds WDAC policies as resources, deploys via \\localhost\C$, hides/timestomps files, creates decoy logs, and triggers gpupdate /force to push persistence through GPOs.
- Policy Tuning: Based on AllowAll.xml template → allows normal OS operations but selectively blocks security software.
- Windows 11 / Server 2025 focus: Leverages multiple wildcard file path rules unavailable in earlier versions.
Attack Workflow (Observed in DreamDemon)
- Load embedded policy from resources (FindResourceW, LoadResource, LockResource).
- Place into C:\Windows\System32\CodeIntegrity\SiPolicy.p7b.
- Apply file hiding & timestomping to obfuscate activity.
- Execute gpupdate /force → persistent policy application via Device Guard → Deploy WDAC setting.
Impact
By deploying malicious WDAC policies before EDR initialization, attackers neutralize security controls, making ransomware and stealthy intrusions significantly harder to detect. Despite being public for 9+ months, defenses remain insufficient across many vendors.
Recommendations
- Audit WDAC policies in CodeIntegrity directories for unauthorized changes.
- Monitor for unexpected GPO-driven WDAC deployments.
- Strengthen EDR self-protection against WDAC policy tampering.
- Ensure centralized logging captures registry & policy changes in Device Guard.
- Apply Microsoft hardening guidance for WDAC and restrict who can deploy policies.
Reference
- Widespread Data Theft Campaign Targeting Salesforce via Salesloft Drift Integrations
Security researchers have reported a large-scale data theft campaign targeting Salesforce customer environments via compromised OAuth tokens tied to the Salesloft Drift application. The activity is attributed to UNC6395 and was active between August 8–18, 2025, later expanding to Drift Email. Attackers systematically exported Salesforce data and harvested sensitive credentials such as AWS keys, Snowflake tokens, and passwords. While Salesforce’s core and Google Workspace itself were not breached, the abuse of third-party integrations created critical exposure pathways.
Vulnerability Details
- Threat Actor: UNC6395
- Initial Access: Compromised OAuth tokens for Salesloft Drift integrations
- Scope of Impact: Salesforce, Drift Email, and connected integrations
- Data Targeted: Accounts, Opportunities, Users, Cases, AWS/Snowflake credentials, API keys
- Tactics: SOQL queries, large-scale exfiltration, Tor anonymity, query deletion for evasion
Observed Queries
- SELECT COUNT() FROM Account;
- SELECT COUNT() FROM Opportunity;
- SELECT COUNT() FROM User;
- SELECT COUNT() FROM Case;
- Sensitive fields: Id, Username, Email, Name, Title, Department, Phone, LastLoginDate
- Bulk extraction: SELECT Id, CaseNumber, … FROM Case LIMIT 10000
Impact
- Multiple security vendors including SpyCloud, Zscaler, Palo Alto Networks, Cloudflare, PagerDuty, Tanium, and Tenable confirmed exposure.
- Attackers exfiltrated both corporate Salesforce data and high-value secrets.
- Expansion beyond Salesforce to Drift Email OAuth tokens.
Recommendations
- Investigate for compromise: Audit Drift integrations, Event Monitoring, UniqueQuery logs, and OAuth activity.
- Secret scanning: Search for AWS keys, Snowflake tokens, API keys, and leaked passwords.
- Credential rotation: Revoke Drift-related OAuth tokens, rotate all impacted credentials, reset admin accounts.
- Google Workspace: Revoke Drift Email tokens and audit access logs.
- Restrict permissions: Enforce least-privilege app scopes, IP restrictions, API access minimization, and session timeouts.
- Engage vendors: Coordinate with Salesforce, Salesloft, and Mandiant for investigative support.
Reference
- Cloudflare Confirms Salesforce Data Compromised via Salesloft Chatbot
Cloudflare has confirmed that its Salesforce customer support system data was compromised in the Salesloft Drift OAuth breach, which has impacted multiple organizations. The incident was attributed to the group GRUB1 (tracked by GTIG as UNC6395, with overlaps to ShinyHunters). Attackers gained access to Salesforce case data used for customer support and internal processes, exposing sensitive information such as logs, tokens, and access credentials.
Attack Timeline
- Aug 12–17, 2025: GRUB1 gained access to Cloudflare’s Salesforce tenant via stolen Salesloft credentials, performed reconnaissance, and extracted schema details.
- Aug 16–17: Attackers executed a Bulk API job to exfiltrate Salesforce case data in under four minutes, then attempted job deletion to cover tracks.
- Aug 20: Salesloft revoked Drift-to-Salesforce connections.
- Aug 23: Salesforce and Salesloft notified Cloudflare of suspicious Drift activity.
- Aug 25: Cloudflare escalated incident response, revoked Drift accounts, rotated credentials, and confirmed scope of data exposure.
- Sept 2: Cloudflare notified affected customers via email and dashboard banners.
Impact
- Data exposed: Customer contact details, support case metadata, subject lines, and message bodies (which may include logs, access tokens, or passwords).
- Scope: Limited to Salesforce case objects; no compromise of other Cloudflare systems or infrastructure.
- Risk: Stolen tokens and credentials may be leveraged for future intrusion attempts.
Threat Actor Attribution
- Group: GRUB1 / UNC6395
- Links: Overlaps with ShinyHunters, previously tied to Salesforce-related data theft operations.
- Tactics: OAuth abuse, SOQL queries, Bulk API jobs, rapid exfiltration, and cleanup attempts.
Recommendations
- Rotate all credentials shared via Salesforce support tickets (tokens, passwords, API keys).
- Audit Salesforce case object access logs for anomalous API activity between Aug 12–17, 2025.
- Reassess and scope connected apps: remove unused or unknown apps, enforce approval workflows.
- Apply least-privilege permissions for third-party integrations and restrict OAuth scopes.
- Monitor for potential credential abuse in follow-on attacks.
Reference
- https://www.salesforceben.com/cloudflare-confirms-salesforce-data-compromised-via-salesloft-chatbot/
- Russian APT28 Deploys NotDoor Outlook Backdoor
Security researchers have attributed a new Outlook-based backdoor named NotDoor to the Russian state-sponsored group APT28 (aka Fancy Bear). The malware is being used in cyber espionage campaigns targeting NATO country organizations, leveraging Outlook macros for stealthy persistence, command execution, and data theft.
Key Technical Details
- Malware Type: Outlook VBA macro backdoor (aka GONEPOSTAL / KTA007 cluster).
- Delivery: DLL side-loading via onedrive.exe, loading malicious SSPICLI.dll.
- Persistence: Registry modifications + macro execution disabled security prompts.
- Trigger Mechanism: Scans for specific keywords in incoming emails (e.g., “Daily Report”) to extract and execute embedded commands.
- Storage Path: %TEMP%\Temp folder used for staging TXT files before exfiltration.
- Exfiltration: Encoded file contents sent via email (Proton Mail), then deleted.
Supported Commands
- cmd → Execute commands and return output as email attachment.
- cmdno → Execute commands without returning output.
- dwn → Exfiltrate files as email attachments.
- upl → Upload and drop files on victim system.
Evasion & Stealth Tactics
- Obfuscated VBA project tied to Outlook MAPILogonComplete and NewMailEx events.
- Turns off Outlook dialog messages to reduce suspicion.
- Uses Base64-encoded PowerShell for registry persistence and beaconing.
- Employs Proton Mail and attacker-controlled webhook[.]site for C2.
- Leverages Microsoft Dev Tunnels (devtunnels.ms) for stealthy C2, masking infrastructure via Microsoft relay nodes and rotating domains.
- Distributes additional payloads via bogus Cloudflare Workers domains and PteroLNK VBScript, with USB propagation.
Attribution & Threat Actor Tradecraft
- Actor: APT28 (Fancy Bear), Russian GRU-linked espionage group.
- Overlap: Cluster also tracked as KTA007 / GONEPOSTAL by Kroll.
- TTPs: Heavy abuse of legitimate business tools (Outlook, OneDrive, Cloudflare Workers, Dev Tunnels), living-off-the-land persistence, and multilayered obfuscation.
Impact
- Espionage focus: Exfiltration of sensitive organizational emails, credentials, and files.
- Target sectors: Telecom, transportation, defense, lodging, and government in NATO states.
- Operational stealth: Multi-layered obfuscation and cloud-based C2 reduce exposure.
Recommendations
- Disable untrusted macros in Outlook and audit VBA macro usage.
- Monitor for DLL side-loading of onedrive.exe and suspicious SSPICLI.dll.
- Detect anomalous registry persistence and Base64-encoded PowerShell execution.
- Review email logs for unusual attachment exfiltration activity.
- Restrict use of Microsoft Dev Tunnels in enterprise environments.
- Apply behavioral detection for suspicious Outlook automation events.
Reference