Cyber Threat Weekly – #101
The week of October 27th through November 2nd, roughly 356 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about inventory or lack thereof and its effects on cybersecurity.
Inventory of assets like OSs, applications, APIs, workloads, etc., is the foundation for managing systems. You can’t manage or defend what you don’t know about. With quantum computing on the horizon, crypto agility becomes important, and inventory is the foundation to begin the migration to post quantum crypto.
Let’s start with a private beta of ‘agentic security researcher’ Aardvark announced. Researchers share proof of concept attack in agent2agent systems. Public repository supply chain attack stories. AdaptixC2 open-source tool abused by ransomware threat actors.
Secure Microsoft Exchange server guidance shared by CISA & NSA. Atroposia, a new remote access trojan discovered. Quantum computing is coming; some post quantum initiatives. Qilin Linux encryptor used in Windows environments.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – October 27th to November 2nd:
CVE-2025-6204 – Dassault Systèmes DELMIA Apriso Code Injection Vulnerability:
Could allow an attacker to execute arbitrary code.
CVE-2025-6205 – Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability:
Could allow an attacker to gain privileged access to the application.
CVE-2025-41244 – Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability:
A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.
CVE-2025-24893 – XWiki Platform Eval Injection Vulnerability:
Could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.
OpenAI’s Aardvark Agentic AI Fixes Software Bugs
Coming on the heels of Google’s CodeMender, OpenAI announced the launch and private beta of an ‘agentic security researcher’. It’s an autonomous agent designed to help developers find and fix security bugs at scale.
https://thehackernews.com/2025/10/openai-unveils-aardvark-gpt-5-agent.html
https://openai.com/index/introducing-aardvark/
Agent2Agent (A2A) Protocol Smuggling Attack
Researchers share a technique they call agent session smuggling. The protocol itself is not vulnerable; it exploits a trust relationship between agents and stateful behavior. AI is easy to trick; rogue agents are a dynamic threat. The A2A and MCP protocols are very new and still under development, you are tip of the spear if you are rolling out these protocols and AI agents.
https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/
Multiple Public Repository Supply Chain Attack Stories
Researchers share a new campaign dubbed PhantonRaven, malicious npm packages evading detection. Malicious npm packages mimic legit projects and download infostealer.
https://www.koi.ai/blog/phantomraven-npm-malware-hidden-in-invisible-dependencies
https://socket.dev/blog/10-npm-typosquatted-packages-deploy-credential-harvester
Open-Source AdaptixC2 Pen test Tool Abused by Threat Actors
Initially developed for pen testing, this free adversary emulation framework is now abused by threat actors. The trend continues, the use of legit and dual use tools for attack campaigns. The list will surely continue to grow.
https://www.infosecurity-magazine.com/news/adaptixc2-malicious-payload/
https://www.silentpush.com/blog/adaptix-c2/
Microsoft Exchange Server Security Guidance Shared by CISA & NSA
The Cybersecurity and Infrastructure Agency (CISA and National Security Agency (NSA released guidance on hardening Microsoft Exchange servers. The guidance covers the usual suspects, authentication and access, encryption, attack surface, etc.
New Atroposia Remote Access Trojan (RAT) Discovered
This RAT includes and easy to use interface bringing advanced capabilities to low / no skill threat actors. It packs features such as encrypted command and control channels, persistence, credential and wallet theft, and hidden remote access.
https://www.infosecurity-magazine.com/news/new-atroposia-rat-surfaces-on-dark/
https://www.varonis.com/blog/atroposia-rat
Post Quantum Crypto Initiatives
With experts predicting quantum computing in a decade or less, early preparations need to start, it can take years for migration. The ‘harvest now, decrypt later’ threat is real, particularly for those with long data retention regulations.
Qilin Linux Based Ransomware Launched in Windows
To help evade detection, Qilin threat actors abused Windows Subsystem for Linux (WSL) to launch the Linux encryptor. Qilin is one of the most active ransomware outfits this year. They use dual use tools and living off the land methods.
https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
