Skip to content

Cyber Threat Weekly – #86

Derek Krein
4 min read

The week of July 7th through July 13th, about 340 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about AI security amongst all the AI hype.

GenAI and LLMs are powerful.  In business context, a game changer, no doubt.  With every new technology, the risks outpace our ability to secure them, we’re always playing catch up.  This is the case with GenAI and large language models as well.  There are tools available, the pace of deployment is immense, and the stakes are high.  Are we ready for the challenge?

Let’s start with Wing FTP Server bug exploited one day after technical details released.  Fortinet FortiWeb remote code execution bug, exploits released.  An interesting read on MCP servers.  Researches breakdown ClickFix campaigns and share detection opportunities.

AI and reinforcement learning can yield malware.  Exposed ASP.NET machine keys lead to initial access.  New ServiceNow bug affecting access control lists.  Big surge in malicious open-source packages year-over-year.


Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.


CISA Known Exploited Vulnerabilities – July 7th to July 13th:

CVE-2019-9621 – Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability:
The server-side request forgery (SSRF) vulnerability is via the ProxyServlet component.

CVE-2019-5418 – Rails Ruby on Rails Path Traversal Vulnerability:
Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.

CVE-2016-10033 – PHPMailer Command Injection Vulnerability:
Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.

CVE-2014-3931 – Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability:
Could allow remote attackers to cause an arbitrary memory write and memory corruption.

CVE-2025-5777 – Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability:
This vulnerability can lead to memory over read when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.


One Day After Technical Details Released, Wing FTP Server Bug Exploited

The behavior we continue to see, weaponized proof-of-concept code and technical write ups abused soon after release.  This one is for a remote code execution bug.  Researches observed an instance attacked by multiple IPs.

https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-rce-flaw-in-wing-ftp-server/

 https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild

https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/


Fortinet FortiWeb Critical Bug, Exploits Released

The bug is CVE-2025-25257, a remote code execution bug with a 9.8/10 CVSS score.  Generally, once exploits are released, it’s a short time period before exploitation.  Fortinet is a high value target for adversaries; we’re looking for exploitation soon.

https://www.bleepingcomputer.com/news/security/exploits-for-pre-auth-fortinet-fortiweb-rce-flaw-released-patch-now/

https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/

https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce


Agentic AI and Model Context Protocol (MCP) Servers

Anthropic developed the protocol to standardize AI workflow communications.  It’s a client / server capability, and servers can be hosted locally or remotely.  There are security implications with MCP, before rushing into agentic AI, understand the risks.

https://redcanary.com/blog/threat-detection/mcp-ai-workflows/

https://www.csoonline.com/article/4015222/mcp-uses-and-risks.html


ClickFix Social Engineering Campaigns Examined

This technique has grown immensely in popularity this year, convincing the victim to run code manually.  It uses clipboard hijacking, injecting a malicious content into the victim’s clipboard.  Multiple campaigns are shared as well as detection opportunities.

https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/


A Researcher Used AI to Create Malware

The trick, reinforcement learning to train the AI in a specific task.  The good news for us, it only creates a Microsoft Defender evasion malware 8% of the time.  The bad news, it was cheap and could possibly be done to greater extent over time.

https://www.darkreading.com/endpoint-security/ai-malware-poc-evades-microsoft-defender

https://www.blackhat.com/us-25/briefings/schedule/#training-specialist-models-automating-malware-development-46238


Initial Access Broker Abuses Exposed ASP.NET Machine Keys

The threat actor seems to be opportunistic in nature.  The exploited exposed ASP.NET machine keys allow for execution of payloads directly into memory.  This makes for a stealthy foothold that bypasses legacy EDR and leaves few artifacts.

https://thehackernews.com/2025/07/gold-melody-iab-exploits-exposed-aspnet.html

https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/


Count(er) Strike Bug Affects Access Control Lists in ServiceNow

The bug tracked as CVE-2025-3648 impacted configurations with overly permissive access control lists allowing low privileged users access to sensitive data.  This one is for tacking purposes.

https://www.bleepingcomputer.com/news/security/new-servicenow-flaw-lets-attackers-enumerate-restricted-data/

https://www.varonis.com/blog/counter-strike-servicenow


188% Year over Year Increase in Malicious Open-Source Packages

 In a Q2 2025 report, researchers share trends of malicious packages abused by threat actors.  Typo squatting and supply chain attacks are rampant.  A clear trend, data exfiltration was the most common type of malware.

https://www.darkreading.com/application-security/malicious-open-source-packages-spike

https://www.sonatype.com/blog/open-source-malware-index-q2-2025


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #85

The week of June 30th through July 6th, roughly 325 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about brute force attacks and multi-factor authentication (MFA). So many attack campaigns could have been prevented with phishing resistant multi-factor

Members Public

Cyber Threat Weekly – #84

The week of June 23rd through June 29th, roughly 381 cyber news articles were reviewed.  A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about social engineering and hacking the human. Once mainly abused by nation-state threat actors, social engineering has become the go

Members Public

Cyber Threat Weekly – #83

The week of June 16th through June 22nd, roughly 361 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about cybersecurity hygiene and security theater.  Are we just going through the motions?  A top priority should be identities, especially