Cyber Threat Weekly – #100
The week of October 20th through October 26th, around 330 cyber news articles were reviewed. A light ish amount of cyber threat trends and adversarial behavior news to share.
Let’s start with a prompt injection in OpenAI Atlas browser. Odd lure for LastPass credential harvesting. Researchers share how AzureHound is abused by threat actors. Good and not so good news on the Q3 2025 ransomware front.
Researchers spot LockBit 5.0 victims. Visual Studio Code (VS Code) extension worm targeting developers. IR Trends Q3 2025. Another AI prompt injection attack. Ransomware groups are adding automation to their arsenal.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – October 20th to October 26th:
CVE-2022-48503 – Apple Multiple Products Unspecified Vulnerability:
A bug in JavaScriptCore that when processing web content may lead to arbitrary code execution. Affects Apple macOS, iOS, tvOS, Safari, and watchOS.
CVE-2025-2746 – Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability:
Could allow an attacker to control administrative objects.
CVE-2025-2747 – Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability:
Could allow an attacker to control administrative objects.
CVE-2025-33073 – Microsoft Windows SMB Client Improper Access Control Vulnerability:
Could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.
CVE-2025-61884 – Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability:
This vulnerability is remotely exploitable without authentication. Known To Be Used in Ransomware Campaigns.
CVE-2025-61932 – Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability:
Allows an attacker to execute arbitrary code by sending specially crafted packets.
CVE-2025-54236 – Adobe Commerce and Magento Improper Input Validation Vulnerability:
Could allow an attacker to take over customer accounts through the Commerce REST API.
CVE-2025-59287 – Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability:
Allows for remote code execution.
Prompt Injection in OpenAI Atlas Browser
As we move to AI browsers for productivity, the attack surface and risks increase. This one is interesting, using a fake URL as prompt to manipulate the AI. As we move forward at a blistering pace, security is struggling to keep up.
https://www.securityweek.com/chatgpt-atlas-omnibox-is-vulnerable-to-jailbreaks/
https://neuraltrust.ai/blog/openai-atlas-omnibox-prompt-injection
LastPass Credential Harvesting ‘Deceased’ Lure
Attackers used a subject line “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED).” Also thrown in is information about a case being opened, an agent ID, the date the case was opened, and case priority. This is all fake and a scam, but shows how attackers are getting creative to lure victims to do their bidding.
Threat Actors Abuse AzureHound for Cloud Discovery
AzureHound is a pen test tool designed to help defenders understand their cloud environments and fix issues. Researchers share how the tool is used and some defenses against it’s illegitimate use. They map MITRE techniques as well.
https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/
Q3 2025 Ransomware Report
Ransomware payments were 66% lower in Q3 revealing some changes in ransomware economics. There appears to be two camps, the typical Ransomware-as-a-Service (RaaS) groups and threat actors targeting larger enterprises. The ‘purely opportunistic’ play is ending, help desk or user social engineering are mainstream. We’re getting better at minimizing ransomware impact and not paying the ransom. Ransomware profits are reducing, making threat actors work harder to maintain a profit.
https://www.coveware.com/blog/2025/10/24/insider-threats-loom-while-ransom-payment-rates-plummet
LockBit Comeback? LockBit 5.0 Victims Spotted
The latest version 5.0 is the groups updated encryptor for Windows, Linux, and ESXi systems. LockBit was the most prolific ransomware group before law enforcement disruption and some public dark web issues. We’ll see how this new operation fairs.
https://www.infosecurity-magazine.com/news/new-lockbit-ransomware-victims/
https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/
Visual Studio Code (VS Code) Worm Supply Chain Attack
Self-propagating worm spreads thru VSX Registry and the Microsoft Extension Marketplace. The malware is dubbed GlassWorm and uses ‘invisible Unicode characters’ and the Solana blockchain for command and control. GlassWorm follows a worm targeting the npm repository last month.
https://thehackernews.com/2025/10/self-spreading-glassworm-infects-vs.html
IR Trends Q3 2025
This quarter researchers observed initial access dominated by exploiting public facing applications. Almost 40% involved ToolShell activity. Threat actors launching phishing attacks from compromised accounts both internal and external to partners, post-exploitation. Weak or no MFA and lack of visibility as top security weaknesses.
https://blog.talosintelligence.com/ir-trends-q3-2025/
AI Prompt Injection Using Images or Screenshots
As AI browsers and agents become more popular, so do the ways to attack them. We are seeing both researchers and attackers continuing to come up with novel methods to trick and abuse AI. Eventually security will catch up, but it may be a while.
https://thecyberexpress.com/unseeable-prompt-injections-threaten-ai-agents/
https://brave.com/blog/unseeable-prompt-injections/
Top Tier Ransomware Groups are Adopting Automation
More groups are offering AI and automation tools to their affiliates. Some other features include EDR Killers and lateral movement tools. Customization is strong factor. All of these factors and more help recruitment.
https://www.cybersecuritydive.com/news/ai-automation-ransomware-affiliates/803362/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
