Cyber Threat Weekly – #86
The week of July 7th through July 13th, about 340 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about AI security amongst all the AI hype.
GenAI and LLMs are powerful. In business context, a game changer, no doubt. With every new technology, the risks outpace our ability to secure them, we’re always playing catch up. This is the case with GenAI and large language models as well. There are tools available, the pace of deployment is immense, and the stakes are high. Are we ready for the challenge?
Let’s start with Wing FTP Server bug exploited one day after technical details released. Fortinet FortiWeb remote code execution bug, exploits released. An interesting read on MCP servers. Researches breakdown ClickFix campaigns and share detection opportunities.
AI and reinforcement learning can yield malware. Exposed ASP.NET machine keys lead to initial access. New ServiceNow bug affecting access control lists. Big surge in malicious open-source packages year-over-year.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – July 7th to July 13th:
CVE-2019-9621 – Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability:
The server-side request forgery (SSRF) vulnerability is via the ProxyServlet component.
CVE-2019-5418 – Rails Ruby on Rails Path Traversal Vulnerability:
Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.
CVE-2016-10033 – PHPMailer Command Injection Vulnerability:
Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
CVE-2014-3931 – Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability:
Could allow remote attackers to cause an arbitrary memory write and memory corruption.
CVE-2025-5777 – Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability:
This vulnerability can lead to memory over read when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
One Day After Technical Details Released, Wing FTP Server Bug Exploited
The behavior we continue to see, weaponized proof-of-concept code and technical write ups abused soon after release. This one is for a remote code execution bug. Researches observed an instance attacked by multiple IPs.
https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
Fortinet FortiWeb Critical Bug, Exploits Released
The bug is CVE-2025-25257, a remote code execution bug with a 9.8/10 CVSS score. Generally, once exploits are released, it’s a short time period before exploitation. Fortinet is a high value target for adversaries; we’re looking for exploitation soon.
https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce
Agentic AI and Model Context Protocol (MCP) Servers
Anthropic developed the protocol to standardize AI workflow communications. It’s a client / server capability, and servers can be hosted locally or remotely. There are security implications with MCP, before rushing into agentic AI, understand the risks.
https://redcanary.com/blog/threat-detection/mcp-ai-workflows/
https://www.csoonline.com/article/4015222/mcp-uses-and-risks.html
ClickFix Social Engineering Campaigns Examined
This technique has grown immensely in popularity this year, convincing the victim to run code manually. It uses clipboard hijacking, injecting a malicious content into the victim’s clipboard. Multiple campaigns are shared as well as detection opportunities.
https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
A Researcher Used AI to Create Malware
The trick, reinforcement learning to train the AI in a specific task. The good news for us, it only creates a Microsoft Defender evasion malware 8% of the time. The bad news, it was cheap and could possibly be done to greater extent over time.
https://www.darkreading.com/endpoint-security/ai-malware-poc-evades-microsoft-defender
Initial Access Broker Abuses Exposed ASP.NET Machine Keys
The threat actor seems to be opportunistic in nature. The exploited exposed ASP.NET machine keys allow for execution of payloads directly into memory. This makes for a stealthy foothold that bypasses legacy EDR and leaves few artifacts.
https://thehackernews.com/2025/07/gold-melody-iab-exploits-exposed-aspnet.html
https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/
Count(er) Strike Bug Affects Access Control Lists in ServiceNow
The bug tracked as CVE-2025-3648 impacted configurations with overly permissive access control lists allowing low privileged users access to sensitive data. This one is for tacking purposes.
https://www.varonis.com/blog/counter-strike-servicenow
188% Year over Year Increase in Malicious Open-Source Packages
In a Q2 2025 report, researchers share trends of malicious packages abused by threat actors. Typo squatting and supply chain attacks are rampant. A clear trend, data exfiltration was the most common type of malware.
https://www.darkreading.com/application-security/malicious-open-source-packages-spike
https://www.sonatype.com/blog/open-source-malware-index-q2-2025
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.